ALFI responds to ESA consultation on the proposed RTS on threat-led penetration testing (TLPT), under DORA

On 1 March 2024, ALFI responded to the ESA consultation on the draft RTS on certain aspects of advanced testing of ICT tools, systems and processes based on TLPT.

The proposed RTS aim at fostering operational resilience, while providing means to ensure all financial entities under DORA can withstand, respond to, and recover from ICT-related disruptions and cyber threats.

In its response to this consultation, ALFI highlighte the following concerns:

1. Dedicated test environment: ALFI strongly advises that a test environment would be more preferable than the live environment, in terms of risk mitigation for conducting TLPT. The risk borne by the operations when conducting TLPT on a live environment is disproportionate with the purpose of conducting a test exercise.
2. Group-structures/subsidiaries: we would appreciate the RTS to specifically define whether TLPT exercises performed at group-level may involve some testing on the individual subsidiaries such as the IFM.
3. Further details on scope criteria: criteria are viewed as insufficiently clear and would benefit from further clarification to avoid ambiguity, in particular:
   1. The conditions related to the belonging to a group structure;
   2. The criteria about the ICT technology used;
   3. The criteria with regards to the maturity of the ICT systems.

View ALFI response.