DORA Article 24 Explained: General Requirements for Digital Operational Resilience Testing

## Introduction

In the rapidly evolving landscape of financial technology, the European Union (EU) has been proactive in establishing regulations that ensure the stability and reliability of financial services. The Digital Operational Resilience Act (DORA) is a pivotal piece of legislation aimed at enhancing the digital operational resilience of financial entities. This article delves into Article 24 of DORA, which sets the stage for a comprehensive digital operational resilience testing program. Understanding and implementing the requirements of Article 24 is crucial for compliance professionals as it directly impacts the ability of financial entities to manage ICT-related risks effectively.

## Key Requirements

**Article 24** of DORA outlines the general requirements for financial entities to establish and maintain a digital operational resilience testing program. Here are the key points that financial entities must adhere to:

- **Identification of Critical ICT Systems**: The first step is to identify all critical Information and Communication Technology (ICT) systems that, if disrupted, could pose a significant risk to the entity's operations.

- **Regular Testing Frequency**: Entities must conduct regular testing of their critical ICT systems, which should be aligned with the risk profile and complexity of their operations.

- **Scenario-Based Testing**: The testing should include scenario-based exercises that simulate potential disruptions and assess the entity's ability to prevent, detect, respond, and recover from such incidents.

- **Incident Reporting**: Financial entities are required to have a process for reporting ICT-related incidents, which should be tested regularly to ensure its effectiveness.

- **Stress Testing**: Entities must perform stress testing to evaluate their ability to withstand severe but plausible disruptions.

- **Third-Party Testing**: When relying on third-party service providers, financial entities must ensure that their resilience testing includes these providers, aligning with the requirements set by DORA.

- **Documentation and Evidence**: Maintaining proper documentation and evidence of the testing process is essential for demonstrating compliance with DORA.

## Implementation Guide

To ensure compliance with Article 24 of DORA, financial entities should follow these practical steps:

1. **Assessment of ICT Systems**: Conduct a thorough assessment to identify all critical ICT systems and evaluate their potential impact on operations.

2. **Risk-Based Approach**: Develop a risk-based approach to determine the frequency and scope of resilience testing, tailored to the specific risks associated with each ICT system.

3. **Scenario Development**: Create a variety of scenarios that simulate different types of disruptions, including cyber-attacks, data breaches, and technical failures.

4. **Testing Protocol**: Establish a clear testing protocol that outlines the objectives, methodology, and responsibilities of all parties involved in the testing process.

5. **Incident Response Plan**: Review and test the incident response plan to ensure it is effective and up-to-date.

6. **Stress Testing Methodology**: Develop a stress testing methodology that aligns with the entity's risk appetite and business objectives.

7. **Third-Party Coordination**: Work closely with third-party service providers to ensure their resilience testing aligns with DORA's requirements.

8. **Documentation and Record Keeping**: Maintain comprehensive records of all resilience testing activities, including the results, lessons learned, and any subsequent actions taken.

9. **Continuous Improvement**: Regularly review and update the resilience testing program to incorporate new risks, technologies, and lessons learned from past tests.

## Common Pitfalls

Financial entities should be aware of the following common pitfalls when implementing Article 24's requirements:

- **Underestimating Risk**: Failing to accurately assess the risk posed by ICT systems can lead to inadequate testing and a false sense of security.

- **Lack of Regular Updates**: Not regularly updating the testing program can result in outdated scenarios and methodologies that do not reflect current risks.

- **Overreliance on Third Parties**: Relying solely on third-party service providers for resilience testing without proper oversight can lead to compliance gaps.

- **Insufficient Documentation**: Inadequate documentation can make it difficult to demonstrate compliance and learn from past tests.

- **Neglecting Recovery Plans**: Focusing only on prevention and detection without properly testing recovery plans can leave entities unprepared for actual disruptions.

## How Matproof Helps

Matproof's compliance management platform provides tools to automate the tracking and evidence collection for Article 24 requirements, ensuring that financial entities can efficiently manage their digital operational resilience testing program. With features like risk assessment, scenario development, and incident reporting, Matproof helps entities maintain compliance and enhance their overall resilience.

## Related Articles

- [DORA Article 4 Explained](/articles/dora-article-4-explained)
- [DORA and Cybersecurity: An Overview](/articles/dora-and-cybersecurity-overview)
- [DORA Article 10: ICT Risk Management](/articles/dora-article-10-ict-risk-management)
- [DORA Article 16: ICT Security Measures](/articles/dora-article-16-ict-security-measures)