DORA Requirements for Resilience Testing Approach

Introduction

The Digital Operational Resilience Act (DORA) is a regulation adopted by the European Union aimed at enhancing the digital resilience of entities operating in the financial sector. DORA sets forth a series of requirements for these entities to ensure they can withstand various types of cyber threats.

Emphasis on Offensive Measures

One notable aspect of DORA is its emphasis on offensive (proactive) measures that financial sector entities must undertake. DORA is one of the first binding regulations to explicitly mandate preventive and preemptive actions through regular penetration testing, as part of a comprehensive strategy combined with risk analysis.

Key Requirements of DORA for Resilience Testing

DORA requires that resilience testing:

• Be part of a developed and comprehensive digital operational resilience testing program, subject to reviews.
• Be an integral part of ICT risk management frameworks.
• Be conducted by independent internal or external parties.
• Adhere to procedures and rules for prioritizing, classifying, and resolving all issues identified during testing.
• Be conducted following internal approval methods to ensure that all identified weaknesses, deficiencies, or gaps are fully addressed.

Regular Resilience Testing

A key aspect of DORA is the necessity for regular resilience testing. These tests aim to simulate potential attacks on systems and applications to identify vulnerabilities and weaknesses that could be exploited by cybercriminals. This proactive approach is crucial in effectively mitigating vulnerabilities within organizations, thereby reducing the risk of cyberattacks.

FUSE AI's Approach to DORA Compliance

In response to DORA's requirements, FUSE AI has designed a comprehensive service that encompasses:

1. Operational Resilience Testing

We perform regular and cyclical penetration tests and vulnerability scans tailored to the specific operations and systems of our clients, with an agreed frequency. These tests cover both network infrastructure and the applications and cloud solutions used by our clients.

2. Vulnerability Management Process

FUSE AI has developed a vulnerability management process that allows each identified vulnerability to be recorded in a repository, determining its criticality and priority, and assigning responsible individuals for mitigation according to an established SLA.

3. Vulnerability Mitigation

We actively participate in vulnerability mitigation, sharing expert knowledge with client personnel. Our team provides recommendations for mitigation and support in their implementation, enabling organizations to effectively secure themselves against potential attacks by increasing the efficiency of vulnerability remediation.

4. Risk Analysis

FUSE AI includes a risk analysis module that enables the identification, assessment, and prioritization of threats. This helps organizations better understand the challenges they face and the steps they should take to protect themselves. We present the risk associated with individual assets, as well as the collective risk for the entire organization.

5. Documentation and Reporting

All service results and actions taken are reflected in dynamic and static reports accessible through FUSE AI. These reports provide security management personnel with real-time information on the number of vulnerabilities, associated risks, and the efficiency of their remediation. FUSE AI serves as a comprehensive tool for managing vulnerabilities within an organization.

Conclusion

The DORA regulation introduces important requirements for digital resilience in the financial sector. It emphasizes prevention and proactive measures, which, when combined with appropriate defensive solutions, can provide organizations with maximum and effective protection against cyber threats.

‍