enquiries@amrcybersecurity.com

0345 066 5510

How to prepare for the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a crucial regulation within the European Union (EU) aimed at strengthening the digital resilience of financial entities. The framework is part of broader EU legislative efforts to ensure financial institutions can withstand, respond to and recover from any type of ICT (Information and Communication Technology) disruptions or incidents.

DORA mandates comprehensive security measures, including governance, risk management, incident reporting and third-party risk oversight, ensuring financial entities are digitally secure while delivering uninterrupted services.

What does Article 26 mean and what is the Advanced Intelligence-Led Penetration Testing Requirement?

Article 26.1 of DORA: “Financial entities [...] shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.”

DORA Article 26 is particularly significant as it introduces the requirement for advanced intelligence-led penetration testing (TLPT). Under Article 26.1, above, financial entities must conduct thorough testing at least once every three years to assess their resilience against sophisticated cyber threats. These penetration tests are designed to simulate real-world attacks, focusing on the entity's ability to defend against the most advanced cybercriminal tactics.

The frequency of this testing can be adjusted based on the entity's risk profile and operational circumstances. In certain cases, regulatory authorities may require more frequent testing, depending on the entity's perceived vulnerability or strategic importance.

Who Does DORA Apply To?

DORA applies to a broad range of financial institutions, including banks, insurance companies, investment firms and payment institutions. Additionally, it extends to ICT service providers who support these entities, ensuring any potential third-party risks are also covered under the regulation.

An Overview of the Approach to DORA Compliance

To ensure compliance with DORA, financial entities must establish a solid governance framework around their digital operational resilience. This includes developing robust risk management procedures, performing regular vulnerability assessments, and maintaining an active incident reporting process. Article 26 mandates that these entities engage in advanced, intelligence-led testing, which involves simulating sophisticated cyberattacks to evaluate their defence mechanisms in real-time.

Organisations are also required to maintain clear documentation and audit trails of their ICT security processes, ensuring they can be reviewed and evaluated by regulators. The ultimate goal is to foster a culture of proactive cybersecurity risk management, rather than reactive crisis handling.

How AMR CyberSecurity Can Help

At AMR CyberSecurity, we specialise in helping financial institutions navigate the stringent requirements of DORA, particularly in the context of Article 26. We offer bespoke Threat-Led Penetration Testing (TLPT) services that simulate advanced cyberattack scenarios, allowing organisations to comprehensively assess their digital defences.

Our services include:

  • Developing a tailored TLPT strategy based on your organisation’s unique risk profile and regulatory requirements.
  • Implementing regular, in-depth testing using the latest threat intelligence to ensure your systems are resilient against even the most advanced cyber threats.
  • Ensuring full compliance with DORA by providing detailed reports and documentation that meet regulatory standards.

With our expertise, AMR CyberSecurity ensures your organisation is not only compliant but also prepared to manage and mitigate the risks posed by a rapidly evolving cyber threat landscape.

Get in touch for a quote from our experts
About Us
Services
Sectors
News & Insights
Research
Careers
Contact
Registered address
AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
UK
© 2024 AMR CyberSecurity · Registered Company Number: 11551941