It’s been a minute—DORA has now been up and running for almost a full month. Hopefully, the message of DON’T PANIC from the previous article has resonated. Your understanding of DORA should have increased, and now you should be thinking about your response and all the elements this brings. You’re on the path to building maturity to meet DORA’s requirements!
Testing: Where the Rubber Meets the Road
DORA doesn’t just require you to improve resilience—it also demands testing to prove it. This means evaluating your posture, demonstrating worst-case scenario recoverability, and ensuring you can rehydrate systems or redeploy using CI/CD pipelines.
So, what should you be testing? Below is a starting point—not exhaustive, but a guide to key areas. Your approach should be risk-based and tailored to your needs.
Key Testing Areas
- ICT Risk Management Framework – Effectiveness of policies, procedures, and controls.
- Critical ICT Systems & Processes – Resilience of essential systems such as incident management, change management, backup/recovery, and disaster recovery.
- Third-Party Dependencies – Testing the resilience of critical ICT services provided by third parties.
- Cybersecurity Controls – Ensuring security measures such as firewalls, intrusion detection, access controls, and encryption are effective.
- Incident Response & Recovery – Efficiency of response, business continuity, and disaster recovery plans.
- Vulnerability & Penetration Testing – Regular vulnerability scans, penetration testing, and threat-led penetration testing (TLPT).
- Operational Resilience – Ensuring systems can withstand and recover from disruptive events.
- Communication & BCM Plans – Effectiveness of internal and external communication during incidents.
- ICT Third-Party Risk Management – Making sure third-party suppliers are resilient and can demonstrate compliance.
Key Observations
- Yes, there’s a lot of testing. But without it, you cannot demonstrate compliance.
- Comprehensive test plans. If you’re already under FCA/PRA regulations, you likely conduct significant testing. Consolidate all tests into a single, optimized plan.
- Link policies to operations. Define and demonstrate Minimum Control Requirements (MCRs)—for example, if an MCR outlines backup and recovery expectations, ensure it’s tested.
- Regular backup and recovery tests. You must prove that data and services can be recovered efficiently and securely.
- Third-party supplier resilience. DORA mandates resilience testing with and by third parties, including their dependencies.
- Security testing is essential. TLPT, vulnerability scans, and large-scale patching all contribute to a stable, resilient environment.
- Annual reporting. At least once a year, summarize all testing outcomes and lessons learned for senior management to drive continuous improvement.
Backup & Recovery – A Critical Expectation
Since resilience testing is a priority, backup and recovery must be fit for purpose and rigorously tested. Simply having a backup isn’t enough—it must meet Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) effectively.
Key Considerations for Backup & Recovery
- Physical separation of backup/recovery from core processing systems – DORA mandates this to prevent data loss during incidents.
- Secure backup activation – Backup procedures must not compromise data integrity or security.
- Alignment of RPO/RTOs to business impact tolerances – Critical services must have recovery aligned with business needs.
- Regular testing of backup & recovery – Frequent testing ensures full restoration of services.
Future Trends in Backup & Recovery
With cyber threats increasing, large-scale recovery scenarios are becoming more critical than ever. Expect:
- Greater adoption of vaulting technologies to enhance data protection.
- Increased focus on “big red button” recovery – automated, mass recovery solutions for minimum viable business operations.
- Cloud-native solutions leveraging CI/CD for redeployment rather than traditional recovery models.
Final Thoughts
A comprehensive test plan aligned with your Critical & Important Functions (CIFs) isn’t optional—it’s a must-do activity. Execution and proof of improvements are regulatory expectations.
If you’d like to discuss DORA compliance strategies or any of the topics covered, feel free to get in touch.
Have a great one!
Wrapping It Up
Do our bi-weekly insights prove valuable to you? Have you noticed trends or threads that you think our community should know about? Connect and share your insights with us on LinkedIn.
