Contrast Security and The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act 

The Council of the European Union (EU) comprises government ministers from each EU country with the authority to create and amend laws and coordinate policies. Regarding IT security, the Council adopted the Digital Operational Resilience Act (DORA) in November 2022. The intent of DORA is to provide consistent IT security standards for financial institutions—such as banks, insurance companies, and investment firms—across all EU member states, ensuring that the EU financial sector remains resilient against cyber threats and operational disruption.

Regulation (EU) 2022/2554 

In December 2022, the Digital Operational Resilience Act was published as Regulation (EU) 2022/2554 in the Official Journal of the European Union and became effective on January 16, 2023. This is a binding regulation for all EU members, not simply a directive. 

What is required in Dora regulation (EU) 2022/2554?

Described in detail in a 79 page document1, Article 25 of the regulation outlines the essential elements for testing: 

Testing of information and communication technology (ICT) tools and systems 

1.  The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
2. Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
3. Microenterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.

How Contrast Security helps support Dora regulation (EU) 2022/2554

Securing custom applications including 3rd party libraries used by EU financial services firms is essential to support this new regulation. Contrast Security supports DORA Article 25 with the Contrast Secure Code Platform in the following ways: 

1.  Contrast supports the DORA testing requirements of §25(1) for vulnerability assessments and scans, open-source analysis, scanning software solutions, source-code reviews, end-to-end testing, and penetration testing.
2. Contrast’s natural pipeline integration make it uniquely capable of meeting the requirements of §25(2) for performing vulnerability assessments of new or existing applications, components, and ICT.
3. Contrast’s unlimited scalability, realtime analysis, and high accuracy delivers the capability to achieve an unmatched balance of scale, speed, and effort under §25(3), maximizing security with a minimum of effort.

Contrast Security can help secure your applications taking a key step toward compliance with DORA Regulation (EU) 2022/2554). To schedule a demo and see how this works, contact us here: https://www.contrastsecurity.com/request-demo.

¹ REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554