{"id":14625,"date":"2025-11-26T14:28:03","date_gmt":"2025-11-26T14:28:03","guid":{"rendered":"https:\/\/outsourcing-today.ro\/?p=14625"},"modified":"2025-11-26T14:28:04","modified_gmt":"2025-11-26T14:28:04","slug":"testing-required-by-the-eu-digital-operational-resilience-regulation-dora-what-financial-institutions-need-to-know","status":"publish","type":"post","link":"https:\/\/outsourcing-today.ro\/?p=14625","title":{"rendered":"Testing required by the EU Digital Operational Resilience Regulation (DORA): what financial institutions need to know"},"content":{"rendered":"\n<p><span class=\"has-inline-color has-vivid-cyan-blue-color\">Opinion by <strong>Andrei Ionescu<\/strong>, Partner, Consulting Market Leader and Central Europe Cyber \u200b\u200bLeader, and <strong>Drago\u0219 Ionic\u0103<\/strong>, Senior Manager Cyber \u200b\u200bSecurity, <strong>Deloitte Romania<\/strong><\/span><\/p>\n\n\n\n<p>The EU Digital Operational Resilience Act (DORA), which entered into force this year, brings a set of clear obligations for financial institutions. One of the most important requirements is that entities considered significant must carry out threat-led penetration testing (TLPT) on all critical information and communication technology systems and applications and on important functions in the production environment. These tests must be repeated every three years. To support the consistent implementation of these tests, the European Central Bank (ECB) recently published the guide <strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.bankingsupervision.europa.eu\/ecb\/pub\/pdf\/ssm.supervisory_guide202511.en.pdf\" target=\"_blank\">How to implement the TIBER-EU Framework for the DORA TLPT of significant institutions<\/a><\/strong>, which explains step by step how the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) framework is used to meet the requirements of DORA. The document provides clarity on the responsibilities of institutions, the testing stages and how supervisors coordinate the entire process.<\/p>\n\n\n\n<p><strong>What does the European Central Bank Guide state<\/strong><\/p>\n\n\n\n<p>The Guide starts from the premise that TIBER-EU is the reference methodology for Threat-Led Penetration Testing, as it offers a realistic approach based on threat intelligence and sophisticated \u201cred team\u201d scenarios. The ECB clearly defines the selection criteria for significant institutions subject to mandatory testing and the roles of all actors involved, from the TLPT Authority (ECB), to the Test Manager, Control Team, Threat Intelligence Provider (TIP) and Red Team Testers (RTT). It also establishes a three-phase structure for testing: preparation, testing and closure, each containing critical activities such as defining essential functions, risk assessment, scenario creation, simulated attacks on live systems and the \u201creplay\/purple teaming\u201d phase. In addition, the new Guide imposes strict requirements for confidentiality, team separation, risk management and maintaining operational realism throughout the exercise.<\/p>\n\n\n\n<p>With this guide, the ECB is taking a key step towards standardizing the way TLPT is carried out across the euro area, ensuring that testing is consistent, secure and focused on real results in terms of operational resilience.<\/p>\n\n\n\n<p><strong>The importance of Threat-Led Penetration Testing for the financial sector<\/strong><\/p>\n\n\n\n<p>TLPT is more than just a technical exercise. It represents a realistic simulation of an advanced attack on the institution\u2019s critical services, with the aim of assessing the ability of systems to detect, delay and block sophisticated attacks, the maturity of processes and collaboration between security and operational teams, as well as the real level of resilience of critical functions such as payments, card services, mobile banking, SWIFT infrastructure, core banking systems, etc.<\/p>\n\n\n\n<p>The final result is not just a report, but an improvement plan with a direct impact on security and business continuity.<\/p>\n\n\n\n<p><strong>What do the financial institutions need to consider when implementing TLPT testing requirements <\/strong><\/p>\n\n\n\n<p>Implementing a TLPT testing according to TIBER-EU requires multidisciplinary expertise, practical experience in red teaming and a deep understanding of DORA requirements. Financial institutions need specialized teams, ideally with experience in complex projects for central banks, systemic institutions and critical infrastructure operators, as well as <a href=\"https:\/\/www.deloitte.com\/ro\/en\/services\/risk-advisory\/services\/cybersecurity.html?icid=top_cybersecurity\" target=\"_blank\" rel=\"noreferrer noopener\">expertise in relevant European regulations, such as DORA, NIS2, TIBER-EU. <\/a>Another important aspect is the end-to-end operational capability &#8211; from defining critical functions, to executing attack scenarios, coordinating teams, to analyzing results and developing remediation plans.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Opinion by Andrei Ionescu, Partner, Consulting Market Leader and Central Europe Cyber \u200b\u200bLeader, and Drago\u0219 Ionic\u0103, Senior Manager Cyber \u200b\u200bSecurity, Deloitte Romania The EU Digital Operational Resilience Act (DORA), which entered into force this year, brings a set of clear [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,18,12,6,3,8,317],"tags":[47],"_links":{"self":[{"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/posts\/14625"}],"collection":[{"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14625"}],"version-history":[{"count":1,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/posts\/14625\/revisions"}],"predecessor-version":[{"id":14628,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/posts\/14625\/revisions\/14628"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=\/wp\/v2\/media\/14627"}],"wp:attachment":[{"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/outsourcing-today.ro\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}