Regulatory Alerts2024-09-23
DORA Update 5: Testing Digital Operational Resilience
The Dutch Authority for the Financial Markets (AFM) issued this fifth DORA update to guide financial institutions on implementing the Digital Operational Resilience Act's testing requirements ahead of the 17 January 2025 compliance deadline. The document mandates that enterprises establish and execute a risk-based, annual test program for critical ICT systems, while designating specific institutions for advanced threat-led penetration testing (TLPT) every three years based on quantitative and qualitative systemic and risk criteria. It further details the TLPT methodology, including strict tester certification rules, defined roles for red, blue, and control teams, and a structured preparation-to-execution workflow overseen by supervisory authorities.