DORA in the EU aims to enhance cybersecurity among digital service providers, a goal Edgescan supports by helping organizations satisfy DORA requirements through its comprehensive vulnerability management platform.
Version Number: v1.0.1
Published Date: 2 May 2024
____________________________________________________________________________
What is DORA?
The European Council adopted DORA in November 2022 and will be in full force from 17th January 2025. DORA is an EU regulation that comprehensively addresses Information and Communication Technology (ICT) risk management in the financial sector by ensuring that all providers follow a set of standards to mitigate ICT risks for their operations. Prior to DORA, each EU country had different regulations for ICT risk. DORA aims to create a unified framework for all member states.
Edgescan has a detailed blog post outlining DORA available here.
DORA Testing Requirements
Digital Operation Resilience Testing
Part of the ICT risk management framework DORA requires that financial entities define, document, and maintain a thorough and comprehensive digital operational resilience testing programme. Financial entities will need to ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions on at least a yearly basis. Some of the tests detailed in the DORA regulation include:
- Vulnerability assessments and scans
- Open-source analyses
- Network security assessments gap analyses
- Physical security reviews
- Questionnaires and scanning software solutions
- Source code reviews where feasible
- Scenario-based tests
- Compatibility testing
- Performance testing
- End-to-end testing or penetration testing.
- Threat-Led Penetration Testing (see below)
An Annual Penetration Test is a Requirement of DORA
The most significant requirement of DORA is the annual penetration testing for critical applications and systems, which can be fulfilled through the use of Edgescan.
Edgescan Penetration Testing Service Meets DORA Requirements
The good news is that most of the types of testing required by the standard are items that financial services organisations will be well familiar with and, indeed, the majority of which will already have ongoing secure testing programmes that include these items. Once organisations identify their critical systems in scope, we can onboard them and start testing immediately.
Edgescan offers world-class penetration testing services globally through our Penetration Testing as a Service (PTaaS) platform.
Testing, Reporting and Remediation!
Our testing methodology more than meets the current criteria to cover the annual tests that are outlined in DORA specifications.
Extensive and detailed reporting via the Edgescan platform gives you an ongoing view of the security posture for your critical assets with extensive reporting metrics and on-demand retesting.
Plus, with remediation advice direct from our technical testing teams, demonstrating that any vulnerabilities identified have been remediated sufficiently and retested satisfactorily, will not be a problem.