EU DORA Regulation: Cyber Tabletop Testing for Operational Resilience

The Digital Operational Resilience Act, often referred to as the EU DORA regulation, is a crucial regulatory framework which now supports regular Cyber Tabletop Exercises for business continuity. Having been established by the European Union, it is aimed at bolstering the operational robustness and security of financial entities in the digital era. This legislation focuses on the increasing need to secure networks and information, as well as to enhance the operational resilience of financial organisations.

Topics covered in this article: 

1. What does DORA say about Digital Operational Resilience Testing 
2. How Cybersecurity Tabletop Exercises can help achieve DORA compliance
3. How to fulfill DORA's Operational Resilience Testing Requirements

EU DORA & Digital Operational Resilience Testing

Digital Operational Resilience Testing is amongst the core pillars of DORA. Chapter IV of the regulation delves into the requirements for the performance of digital operational resilience testing. Articles 25 and 26 go into the details of the assessments, tests, tools and methodologies that should be applied to the process of resilience testing. 

Some of the key requirements that DORA lists out for the process of testing include: 

1. Adopting a risk-based approach that takes into consideration the evolving threat landscape and the specific risks that the business might face. 
2. The resilience testing programme must be conducted by an independent entity, internal or external. 
3. The Operational Resilience Testing Programme must align with established best practices such as the NIST Cybersecurity Framework and ISO 27001 standards.
4. Financial entities are compelled to implement proper procedures and policies for fixing the gaps and weaknesses in the existing security structure and validating that the identified weaknesses have indeed been plugged. 

How Cyber Crisis Tabletop Exercises Can Help Achieve DORA Compliance 

Article 25 within Chapter IV of DORA details the specific tests that financial organisations must conduct to establish their compliance with the regulation. Scenario-based tabletop testing is one of the tests that the Act spells out as essential to ensuring operational resilience. 

Cyber Crisis Tabletop Testing or Scenario-based testing is critical to achieve the levels of business and operational continuity that DORA mandates. They are equally essential for businesses in every other sector in their quest for resilience against cyber attacks. 

Here’s a quick look at the main benefits of Cyber Resilience Testing through tabletop exercises: 

1. Scenario-based testing, if done right, opens the eyes of your staff to what risks the business actually faces.  
2. It helps them understand their roles and responsibilities in the face of a cyber attack. 
3. Even if they’re familiar with the Cyber Incident Response Plans and Incident Response Playbooks, they’re now able to actually rehearse them in a simulated attack environment. This builds muscle memory.  
4. They are able to better understand the urgency of quick and effective response to cybersecurity incidents. 
5. Your team members, especially the senior management and the executive, are able to practise decision making for a cyber crisis. 

Given the above, it is clear that Cyber Crisis Tabletop Exercises are one of the most effective ways to build cyber resilience over time and in line with DORA requirements. 

Back To Top

How you can comply with DORA’s Operational Resilience Testing Requirements

The Digital Operational Resilience Act is pretty thorough in its recommendations and even enters into details of how the resilience testing must be carried out. Let’s look at some of the specifics and how Cyber Management Alliance can help you tick them all off and move miles closer to compliance. 

• Specific Scenarios: DORA specifically mentions conducting scenario-based incident response testing. At Cyber Management Alliance, we take pride in creating the most effective and relevant bespoke cyber threat scenarios for our clients. These scenarios are tailored to the client’s organisational threat context and risk landscape - another clear DORA requirement. 
  
  Our expert and highly experienced practitioners spend a significant amount of time in scenario-building. They conduct sessions with a representative from the client’s end to deeply understand the nature of the business, its IT infrastructure and existing security controls, plans and processes. 
  
  The scenario-building exercise also takes into account the Incident Response team structure, and the way the executive management team is organised. This is done to ensure that the scenario isn’t just intensely compelling, but also tests the communication channels and collaboration capabilities of all those who will be fighting from the frontline when a cyber crisis does occur.    
  
  
• Proficient External Testers: As a part of its Digital Operational Resilience Testing guidelines, the DORA Final Text lays out its expectations on the calibre of testers. Highly reputable testers who have a rich technical background and demonstrable operational experience have been recommended in the Act. 
  
  Our testers and Cyber Tabletop Exercise facilitators reflect all of the adjectives used above. Every Cyber Crisis Tabletop Exercise conducted by Cyber Management Alliance is done under the aegis of a world-renowned practising CISO who is also an NCSC Assured Trainer. Our facilitators have been in the cyber war zone several times during their careers. They have helmed cyber incident response for many of our clients and have planned and conducted over 300 cybersecurity drills globally. If you’re looking for someone to help you conduct scenario-based testing in order to become DORA compliant, our facilitators are best suited for the job.  
  
  
• Implementation of Remediations: DORA requires all organisations within its purview to implement the recommendations that come out of the operational resilience tests. It also requires proof and validation that the remediations made have been effective. 
  
  What this essentially means is that when you complete your cyber simulation drill, the facilitator will create an executive summary of the organisational strengths and weaknesses in terms of cyber incident response. You have to work on plugging the gaps and demonstrate that the process has been effective through more regular testing.   
  
  At Cyber Management Alliance, each cyber crisis drill is accompanied by a Management Report that summarises our expert facilitator’s recommendations. Where required, we back this up with a Maturity Assessment to give you a clear picture of your digital operational resilience. 
  
  Our cybersecurity consultants can then help you work on those recommendations. In a very cost-effective and flexible format, our Virtual Cyber Assistants help you review and refresh your cyber incident response plans, playbooks and templates. They share professional guidance on how you can enhance your resilience to ransomware attacks and become compliant, not just with DORA but also other imperative industry standards and regulations. 
  
  

Back To Top

Final Word

Regularly working on your cyber resilience and conducting frequent tabletop testing will eventually take you very close to your goal of building a robust defence against cyber crisis of every nature. 

The image below summarises our unique approach to Cyber Crisis Tabletop Exercises. It’s straightforward and structured. The goal is to make DORA compliance, that is currently overwhelming several businesses in the EU, seem less daunting and achievable.  

Back To Top