+DORA Ch. IV Art. 26 8.
|
1. Overview
DORA Ch. IV Art. 26 8.
8. Financial entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27. When financial entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests.
Credit institutions that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with Article 27(1), points (a) to (e).
Competent authorities shall identify financial entities that are required to perform TLPT taking into account the criteria set out in Article 4(2), based on an assessment of the following:
- (a) impact-related factors, in particular the extent to which the services provided and activities undertaken by the financial entity impact the financial sector;
- (b) possible financial stability concerns, including the systemic character of the financial entity at Union or national level, as applicable;
- (c) specific ICT risk profile, level of ICT maturity of the financial entity or technology features involved.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Outsourced System testing
Extend TLPT to critical outsourced systems, processes, and technologies. The entity shall remain responsible for control compliance. Collaborate with the service providers to establish risk management controls, mitigating risks to data, assets, and critical functions.
*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.
|
|
NOREA
|
Selection of TLPT Testers
Engage either internal or external TLPT testers, with external testers contracted every third TLPT cycle. Ensure internal testers are regulator-approved, possess adequate resources, and engage external threat intelligence providers. Select TLPT testers based on reputation, expertise in threat intelligence, penetration testing, and red team practices, relevant certifications, independent assurance, and indemnity insurance coverage. Ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks.
Ensure independence of teams where internal and external testers operate separately, and verify relevant certifications, independent assurance, and indemnity insurance coverage.
*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.
|
|
NOREA
|
Periodic TLPT Testing
Conduct Threat-led penetration testing (TLPT) every three years, aligning with the entity's risk profile. Ensure TLPT covers all critical or important functions and test on live production systems. Provide the regulator with a report encompassing TLPT findings, remediation plans, and documentation demonstrating adherence to this control. Perform TLPT according to the DORA TLPT framework (based on the TIBER-EU framework) as defined in the corresponding RTS.
*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.
|
|