Navigating DORA: How Continuous Penetration Testing Bolsters Your ICT Risk Management Framework and Contributes to Overall Compliance

The Digital Operational Resilience Act (DORA) is ushering in a new era of cybersecurity for the financial sector. With the European Supervisory Authorities (ESAs) poised to designate Critical Third-Party Providers (CTPPs) and the April 2025 Reports of Intent (RoI) deadline looming, demonstrating robust resilience is paramount.

Understanding DORA's Scope in relation to Autonomous Pentesting: A Multifaceted Challenge

DORA's comprehensive requirements, spanning CTPP oversight, digital operational resilience testing in regards to ICTs, and stringent protection and prevention measures, necessitate a multi-layered approach to compliance. Furthermore it outlines the essential components of an effective ICT risk management framework, emphasising its role as a cornerstone of digital operational resilience.

A Framework for Resilience

Article 6 (Chapter II) outlines the essential components of an effective ICT risk management framework, including:

• Comprehensive Strategies, Policies, and Procedures: Financial entities must establish well-documented strategies, policies, and procedures to protect information and ICT assets.
• Risk Minimisation and Incident Response: Implementing appropriate tools and protocols to minimise the impact of ICT risks and provide timely information to competent authorities.
• Independent Oversight and Audit: Assigning responsibility for ICT risk management to an independent control function, ensuring proper segregation of duties, and conducting regular internal audits.
• Continuous Improvement and Testing: Regularly reviewing and updating the framework, incorporating lessons learned from incidents and testing, and conducting digital operational resilience testing
• Digital Operational Resilience Strategy: Defining a clear strategy that aligns with business objectives, sets risk tolerance levels, and outlines incident communication protocols.
• ICT Multi-Vendor Strategy: Defining dependencies on ICT third party providers.
• Testing of ICT tools and systems

Chapter IV Article 25 breaks down testing of ICT tools and systems in more detail, highlighting the requirement for the ‘execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing’.

The Role of Specialised Solutions: Ethiack's Contribution

While a single vendor cannot provide a "silver bullet" for full DORA compliance due to the complexity and breadth of the regulations, specialised solutions like Ethiack play a crucial role in addressing specific requirements (helping companies to tick-off those boxes).

How Ethiack supports to tick off some of the requirements for:

• Digital Operational Resilience Testing
• Protection and Prevention
• Protecting Information and ICT Assets
• Minimising risk/Prevention of ICT Related Incidents
• DORA's Article 24, Chapter IV mandates independent testing, ensuring objectivity in critical asset evaluations. Ethiack's Elite Ethical Hackers, operating as external independent parties, provide this crucial impartiality, delivering rigorous testing that avoids internal conflicts of interest. This approach directly aligns with DORA's requirements, offering financial entities reliable and compliant security assessments.

Acknowledging the Broader Compliance Landscape:

It's important to recognise that DORA compliance involves a wide range of activities beyond penetration testing, including:

• Comprehensive risk assessments.
• Continuous monitoring of ICT systems.
• Effective incident response and recovery.
• Robust data protection and encryption.
• Rigorous change management.
• Third party risk management.

These activities often require a combination of tools, technologies, and expertise from various vendors.

Ethiack: A Valuable Piece of the Compliance Puzzle

Ethiack's autonomous penetration testing provides a valuable tool for financial institutions seeking to strengthen their cybersecurity posture and address specific DORA requirements. By focusing on continuous testing and providing detailed reporting, Ethiack helps organisations tick key compliance boxes and more importantly to find vulnerabilities through ethical hacking. These vulnerabilities often cannot be found by the usual scanning solutions

Key Deadlines

• By the end of April 2025: Financial entities must submit their Registers of Information (ROI) to their Competent Authorities. The ESAs will then collect this data.
• By end of July 2025: The ESAs will perform criticality assessments and notify third-party service providers if they are classified as critical.
• By the first half of September 2025: A hearing period will begin, during which ICT third-party service providers can object to their designation with a reasoned statement and supporting information.
• By the end of 2025: The ESAs will have finalised the designations of CTPPs, published the list of designated CTPPs, and started the oversight engagement.

Key Takeaways:

• DORA's extensive requirements necessitate a multi-faceted compliance approach.
• Ethiack contributes to compliance by addressing specific testing and protection requirements, as well as strengthening the ICT risk management framework.
• Financial institutions most likely have to utilise a range of tools and expertise to achieve full DORA compliance.
• Ethiack helps to provide evidence for compliance requirements through its reporting features.

Disclaimer: This information is for general knowledge and informational purposes only and does not constitute financial, investment, or legal advice.