DORA2026-03-104 min read

DORA Article 26 Explained: Advanced Testing of ICT Tools, Systems and Processes (TLPT)

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In the rapidly evolving landscape of financial services, digital operational resilience is no longer a luxury but a necessity. The European Union's Digital Operational Resilience Act (DORA) aims to enhance the overall cybersecurity and operational stability of the financial sector by introducing stringent regulations. One of the critical aspects of DORA is Article 26, which focuses on the Advanced Testing of ICT Tools, Systems and Processes (TLPT). This article delves into the specifics of DORA's Article 26, exploring its implications for financial entities and providing a roadmap for compliance.

Key Requirements

DORA Article 26 mandates that financial entities conduct advanced testing of their Information and Communications Technology (ICT) tools, systems, and processes. The central goal is to ensure that these systems are robust against potential threats and can withstand cyber attacks. Here are the key requirements stipulated under Article 26:

  • Penetration Testing: Financial entities must conduct regular and systematic penetration testing, including threat-led penetration testing (TLPT) of their ICT systems and processes.

  • Identification of Critical Functions: Entities must identify their critical functions and ensure that these undergo more frequent and comprehensive testing.

  • Simulation of Real-World Threats: The testing must simulate real-world threats to assess the effectiveness of ICT tools and systems in preventing, detecting, and responding to such threats.

  • Escalation of Critical Findings: Any critical findings from TLPT must be escalated to senior management and addressed promptly.

  • Documentation and Reporting: Entities are required to maintain comprehensive documentation of their testing activities and results, which must be reported to the competent authorities upon request.

  • Training and Skills Development: Financial entities must ensure that their staff are adequately trained and possess the necessary skills to conduct effective TLPT.

Implementation Guide

To effectively implement the requirements set forth in DORA Article 26, financial entities should take the following practical steps:

  1. Risk Assessment: Begin with a thorough risk assessment to identify vulnerabilities in ICT systems and processes. This will help prioritize areas for testing.

  2. Develop a Testing Framework: Establish a clear framework for conducting penetration testing, including the frequency, scope, and methodology.

  3. Engage Skilled Professionals: Hire or engage external experts with specialized skills in cyber security testing to ensure that TLPT is conducted effectively.

  4. Simulation of Attacks: Regularly simulate cyber attacks to test the resilience of ICT systems and to identify areas for improvement.

  5. Review and Update: Regularly review and update testing methodologies to keep pace with evolving cyber threats.

  6. Incident Response Planning: Develop and rehearse incident response plans to ensure quick and effective action in the event of a breach.

  7. Compliance Documentation: Maintain detailed records of all testing activities, including dates, methodologies, findings, and remediation actions.

  8. Staff Training and Awareness: Invest in the continuous training and development of staff to ensure they are equipped to handle cyber threats.

Common Pitfalls

While implementing DORA Article 26, financial entities should avoid the following common pitfalls:

  • Neglecting Regular Updates: Cyber threats evolve rapidly, and so should testing methodologies. Failing to update testing frameworks can leave entities vulnerable.

  • Ignoring Critical Functions: Failing to identify and prioritize testing for critical functions can lead to significant operational risks.

  • Lack of Documentation: Inadequate documentation can lead to difficulties in demonstrating compliance and can impede the ability to learn from past tests.

  • Inadequate Staff Training: Without proper training, staff may not recognize or respond effectively to threats, leading to potential breaches.

  • Underestimating the Severity of Findings: Failing to escalate and address critical findings promptly can have severe consequences for an entity's operational resilience.

How Matproof Helps

Matproof's compliance management platform streamlines the process of tracking and evidence collection for Article 26 requirements. With features such as automated documentation and reporting, Matproof ensures that financial entities can demonstrate their compliance effectively and efficiently, while also providing tools for continuous improvement of their ICT risk management processes.

Related Articles

For further reading on DORA and related compliance topics, consider exploring the following articles:

DORA Article 4 Explained
DORA Article 17 Explained
DORA Article 24 Explained
DORA Article 27 Explained

DORA Article 26Advanced Testing of ICT Tools, Systems and Processes (TLPT)digital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo