Barnes Projects

Why the DORA RTS TLTP is Insufficient

Draft Regulatory Technical Standards specifying elements related to threat led penetration tests under Article 26(11) of Regulation (EU) 2022/2554

While the DORA RTS introduces important requirements for threat-led penetration testing (TLPT) in the financial sector, it reveals significant gaps and limitations that could hinder its effectiveness in achieving true digital operational resilience.

Fundamental Gap in Threat Categorization

The most glaring insufficiency is the absence of a structured framework for categorizing and understanding cyber threats. Although the RTS aims to bridge strategic and operational levels, it fails to provide a fundamental methodology for classifying the very threats that TLPTs should address. This creates a disconnect between the strategic risk assessment required by DORA and the operational execution of tests.

Process Over Substance

The RTS heavily emphasizes procedural aspects - timelines, roles, documentation requirements, and governance structures. While these are important, they overshadow the more fundamental need for a clear understanding of what should be tested and why. The focus on "how" to conduct tests without adequately addressing "what" to test creates a risk of superficial compliance rather than genuine security improvement.

Missing Link Between Risk and Testing

While the RTS requires financial entities to identify critical functions and potential threats, it doesn't provide a systematic approach to:

1. Function Mapping: Mapping threats to critical functions
2. Threat Prioritization: Prioritizing different types of threats
3. Coverage Assessment: Ensuring comprehensive threat coverage
4. Strategic Alignment: Connecting strategic risk assessments to operational testing scenarios

Lack of Standardized Threat Intelligence Framework

Although threat intelligence is required as part of the TLPT process, the RTS doesn't provide a structured framework for:

1. Threat Classification: Categorizing different types of threats
2. Relationship Analysis: Understanding threat relationships and sequences
3. Vulnerability Mapping: Mapping threats to vulnerabilities
4. Coverage Assurance: Ensuring comprehensive threat landscape coverage

Operational Challenges

This lack of structure creates several operational challenges:

1. Interpretation Variance: Different financial entities may interpret and categorize threats differently
2. Framework Absence: Threat intelligence providers lack a common framework for threat analysis
3. Focus Misalignment: Red teams may focus on technical exploitation without systematic threat coverage
4. Assessment Gaps: Risk assessments may not align with testing scenarios
5. Cooperation Barriers: Cross-border cooperation becomes more difficult without a common threat language

Impact on Effectiveness

These insufficiencies could lead to:

1. Testing Inconsistency: Inconsistent testing approaches across organizations
2. Coverage Issues: Gaps in threat coverage
3. Comparison Challenges: Difficulty in comparing and benchmarking results
4. Intelligence Barriers: Challenges in threat intelligence sharing
5. Recognition Problems: Reduced effectiveness of mutual recognition

The Solution Gap

The RTS effectively creates a framework for "how" to conduct TLPTs but misses the crucial element of "what" should be systematically tested. This gap could be addressed by incorporating a structured threat categorization framework like the Barnes 10 Cyber Threat Clusters, which would:

1. Structure: Provide a clear structure for threat categorization
2. Mapping: Enable systematic mapping of threats to critical functions
3. Sharing: Facilitate better threat intelligence sharing
4. Communication: Create a common language between strategic and operational levels
5. Cooperation: Support more effective cross-border cooperation

Regulatory Implications

From a regulatory perspective, the RTS's insufficiency means that while organizations may comply with the technical requirements for conducting TLPTs, they might still miss important threats or fail to achieve true digital operational resilience. This creates a risk of "checkbox compliance" rather than genuine security improvement.

Future Considerations

To address these insufficiencies, future revisions or supplementary guidance should consider:

1. Framework Integration: Incorporating a structured threat categorization framework
2. Guidance Enhancement: Providing clearer guidance on mapping threats to critical functions
3. Standards Development: Establishing standards for threat intelligence categorization
4. Assessment Linkage: Creating better links between strategic risk assessment and operational testing
5. Coverage Guidelines: Developing more specific guidance on threat coverage requirements

Conclusion

While the DORA RTS provides an important foundation for implementing TLPTs in the financial sector, its insufficient attention to threat categorization and systematic testing approaches creates significant gaps. These gaps could undermine the effectiveness of TLPTs in achieving their intended purpose of enhancing digital operational resilience. Addressing these insufficiencies through the adoption of a structured threat categorization framework would significantly enhance the RTS's effectiveness in achieving its goals.