How can X41 D-Sec help with the new Digital Operational Resilience Act (DORA) framework?

The financial sector is facing increasing security threats, making digital resilience a critical requirement. To address these challenges, the Digital Operational Resilience Act (DORA) sets out stringent regulatory requirements for financial institutions. Below, we outline key aspects of DORA and how security services companies can help organizations ensure compliance.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operations Resiliency Act (DORA), Regulation (EU) 2022/2554, seeks to enhance the resilience, reliability, and continuity of financial services across the EU. Published in the Official Journal of the European Union on December 27, 2022, DORA mandates compliance since January 17th, 2025.

DORA introduced new obligations for service providers and their critical service suppliers to mitigate disruptions in digital operational services. The framework emphasizes risk management, incident detection and reporting to regulatory authorities, and regular testing of resilience capabilities across five pillars.

What is the scope of DORA?

DORA’s objective is to make sure the financial sector in Europe is able to effectively manage Information and Communications Technology (ICT) and security risks, including those arising from third-party providers.
Only if these risks are properly managed, can digitalization truly deliver on the many opportunities it offers for the banking and financial industry.

DORA encompasses five pillars:

  1. ICT risk management: Financial entities must define and oversee the implementation of all arrangements related to their ICT risk management framework, ensuring resilience against threats.
  2. Reporting on ICT-related incidents: Financial entities are required to establish and implement an incident management process to detect and notify relevant authorities of ICT-related incidents in a timely manner.
  3. Digital operational resilience testing: Organizations must implement rigorous ICT resilience testing, including periodic penetration testing, to detect, manage, and mitigate potential security risks.
  4. Management of third-party risk: Financial institutions must integrate ICT third-party risk management as a core component of their ICT risk framework, ensuring that service providers meet security standards.
  5. Information and intelligence sharing: Entities are encouraged to exchange threat intelligence, including indicators of compromise, attack tactics, and security alerts, to enhance collective resilience.

What happens to non-compliant organizations?

Failure to comply with DORA can lead to severe penalties, including:

  • Fines of up to 2% of annual worldwide turnover for financial firms failing to report threats or critical incidents.

  • ICT third-party vendors that fail to comply may be penalized 1% per day of annual worldwide turnover, up to six months.

Individual penalties ranging from 500,000 to 1 million euros.

How can X41 D-Sec help your organization be compliant with DORA?

X41 can help your organization handle vulnerabilities in products you use or develop. Beyond identifying individual vulnerabilities, X41 shows you how to improve your products and infrastructure in design and make it resilient even against future threats. We take care of vendor contacts and work out the technical details with security researchers and developers to do vulnerability reporting. Our process for finding vulnerabilities and getting them fixed is based on years of experience in uncovering vulnerabilities.

PENETRATION TESTING

Under DORA, financial entities must conduct penetration tests as part of their operational resilience strategy. Security assessments provide tailored penetration testing services, including:

  • Standard Penetration Testing: A real-world attack simulation to assess an entity’s security posture.

  • Threat-Led Penetration Testing (TLPT): A sophisticated test leveraging real-time threat intelligence to evaluate an organization’s ability to detect, respond to, and recover from attacks.

  • Purple Teaming Exercises: Collaborative exercises where attack and defense teams work together to improve threat detection and response.

  • *White-Box Source Code Review:** Include source code and development practices to prevent security defects resulting from insecure practices.

A penetration test mimics a real attack to answer the question of what an actual attacker can achieve and can help establish a baseline of security across the organization. X41 performs the scoping with the customer, to tailor each penetration test exactly to the client’s needs. This includes but is not limited to attack surface, test-depth, attack vector and the decision between white-, gray- and black-box testing.

THREAT-LED PENETRATION TEST

A specific kind of penetration test required by DORA is the Threat-Led Penetration Test (TLPT). In a TLPT, current threat intelligence insights are utilized to mimic sophisticated attacks your organization is currently facing. Compared to classic penetration tests, TLPTs define the methods and goals in their first phase, enabling X41 to shift the focus from finding as many vulnerabilities as possible to testing how effectively your organization can detect, respond to and recovery from real-world attack scenarios. Ultimately, TLPTs not only uncover technical vulnerabilities but also provide actionable insights to enhance your overall incident response and resilience strategy. They also include a purple teaming exercise where the attackers (red-team) and defenders (blue-team) work together to simulate and remediate specific threats and attack techniques.

How X41 Performs TLPTs

TLPTs are designed to simulate sophisticated, real-life attack scenarios, targeting all relevant underlying ICT systems, processes, and even those services provided by ICT third-party providers. Depending on the type of entity, whether it’s a credit institution, a central securities depository, or a microenterprise there can be variations in the testing frequency and approach, with additional requirements for ICT third-party providers to ensure that their involvement in the delivery of critical functions is adequately safeguarded and that any testing they perform meets the standards set by DORA.

SOURCE CODE REVIEWING

In parallel with these testing regimes, DORA emphasizes the importance of secure software development practices. This includes code analysis and open source code analysis for any code used by the affected entity. By conducting thorough static and dynamic code analyses, organizations can uncover vulnerabilities early in the development life cycle, reducing the risk of security gaps that could be exploited. Moreover, as open source components become an integral part of ICT systems, regular reviews are crucial to ensure that these widely used codebases do not introduce hidden weaknesses. In this way, DORA’s framework not only reinforces the need for proactive penetration testing but also encourages an ongoing commitment to code quality and security, ultimately bolstering the overall digital resilience of financial entities and their third-party partners.

How X41 Performs Security Code Audits

A security code audit identifies security issues in the design or implementation of your applications. It is able to identify issues that are hard to identify during a penetration test and can be considered a special form of a full white-box penetration test.
Starting with an initial design workshop, the reviewers of X41 are briefed by the developers about the design of the application and are given a walk-through of the code base. Following this, a threat model is developed jointly in order to define a baseline of what counts as a vulnerability in the applicable context. This also helps testers to focus on specific parts of the application that might be especially vulnerable regarding the defined threats.
The reviewers subsequently conduct a code review using automated and manual methods. Here, the main focus is on the manual review making full use of the expertise and experience of the reviewers in that area. All findings are discussed with the developers directly during the review in order to provide feedback, eliminate false positives and generally strengthen security awareness. X41 performs source code audits remotely or on-site, based on your requirements.
For special assignments, we can perform the code audit on-site, on your hardware so the source code never leaves your control.

BREACH AND ATTACK SIMULATION

Nemesis, by X41’s partner Persistent Security Industries, is a Breach and Attack Simulation (BAS) platform that offers scenario based testing as required by DORA and streamlines the journey to compliance for financial institutions and other regulated organizations.

Nemesis can help security assessment companies to enhance their services enhance their services by providing a robust Breach and Attack Simulation (BAS)  platform. It enables security service providers to:

  • Simulate real-world threats using industry-standard frameworks such as MITRE ATT&CK.

  • Perform scenario-based testing aligned with DORA’s requirements.

  • Prioritize and mitigate security weaknesses before attackers can exploit them.

Conclusion

DORA is a game-changer for financial entities, demanding a proactive approach to ICT risk management and resilience. Security assessment companies empower organizations to meet these stringent requirements through expert penetration testing, source code audits, and breach simulations. By leveraging professional security services, financial institutions can not only achieve compliance but also strengthen their overall security posture against evolving threats.

For more information on how we can help you as a professional security experts and offer more value to your financial customers to achieve DORA compliance, contact us today!

Need help becoming compliant with DORA? X41 got you covered! Book your meeting here and we would be happy to answer all your questions.