The final tranche of Regulatory Technical Standards (RTS) for the Digital Operational Resilience Act (DORA) have been published last week. It also covers the Implementing Technical Standards (ITS) for the templates for the register of information.
Covering:
RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
RTS on the harmonization of conditions enabling the conduct of the oversight activities;
RTS specifying the criteria for determining the composition of the joint examination team (JET); and
RTS on threat-led penetration testing (TLPT).
This blogpost focusses specifically on the 4th point as it applies to Articles 26 and 27 with which Persistent Security Industries can assist.
Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT
Article 27, Requirements for testers for the carrying out of TLPT
From the read through of the new RTS’s there are a couple interesting points that we can review.
The European Supervisory Authorities (ESA's) have agreed to a two-layer approach for firms that fall under the need for a Threat Led Penetration Test (TLPT), giving some flexibility to the local authorities. They can opt-in or opt-out companies from the testing schedule. This means that if they believe a company should be in the testing schedule, they can pull it in. Or conversely they can opt-out a company if the testing was being done in another jurisdiction.
Test must be conducted against live production systems.
The ESA’s have also set out the qualifications for the Threat Intelligence team and the Pen Test team members.
Threat Intelligence: Manager with at least 5 years of experience as well as at least one additional member of the team with at least 2 years experience and 3 references from previous assignments.
External Pen testers need to provide at least 5 references from previous assignments. Be composed of a manager with at least 5 years experience as well as at least 2 additional testers each with at least 2 years experience in pen testing and red team testing.
The final RTS's are focused on the harmonization (which is a key goal of DORA) of reporting incidents and information to the competent authorities. The Annex's within the RTS show the types of information that must be included in Incident reports as well as the ROI (Register of Information).
With this information firms can now start to map out their response templates to the competent authorities when an incident occurs.
In regards to those external pen testers and red team activities.
We have a network of excellent partners to draw upon. Contact us for information regarding their services and how they can help your firm maintain compliance with these points.
Remember with Nemesis Breach and Attack Simulation you are able to:
Want to know more? Reach out to us via the contact us button and we will schedule some time to chat about how we can help your firm on their compliance journey.
Comments