Testing Requirements in the EU’s Digital Operational Resilience Act: A(nother) Potential AI Regulatory Problem?

The Digital Operational Resilience Act (DORA), as brought into effect by Regulation (EU) 2022/2554, is the foremost EU legislative initiative to strengthen financial institutions’ safeguards against cyber-threats and against other risks to ICT (information communications technology) systems. Although the legislation will be fully applicable from 17 January 2025, DORA establishes requirements for risk management, identification of cyber-threats, incident reporting, management of third-party risk, information-sharing, and the testing of ICT systems. Beyond finance, DORA should serve as an exemplary measure for other sectors in how to implement obligations and standards for enhancing cybersecurity, not just within the EU, but globally.

Draft regulatory technical standards on the testing requirements are being prepared by the European Supervisory Authorities and must be agreed with the European Central Bank, prior to submission to the European Commission by 17 July 2024.

DORA’s implications for addressing cyber-risks in financial services were analysed in my article, ‘Cyber-Risks in Modern Finance: Building Operational and Regulatory Resilience’ (2023) 38(7) Journal of International Banking Law and Regulation 233; available here.

However, as the RTS (Regulatory Technical Standards) are being finalised, it is worth considering the degree to which DORA’s testing requirements could soon be overtaken by ongoing developments in artificial intelligence. In addition to concerns over how ‘future-proof’ DORA will be, there are questions as to how DORA may cohesively align with parallel EU legislative initiatives in respect of AI.      

The Testing of ICT Systems in DORA

DORA will be applicable to a broad range of ‘financial entities.’ As set out in Article 2(1), examples of financial entities are credit and payment institutions, electronic money institutions, investment firms, crypto-asset service providers, trading venues, and crowdfunding service providers.

Chapter IV of DORA (Articles 24 to 27) relates to financial entities’ testing of the digital operational resilience of ICT tools and systems. As specified in Article 25(1), appropriate tests include vulnerability assessments and scans, open source analyses, network security assessments, scenario-based tests, compatibility testing, performance testing, and penetration testing.   

Subject to exceptions stated in Article 16—primarily relating to small and non-interconnected institutions—eligible financial entities will be obliged to carry out threat-led penetration testing (TLPT) at least once every three years. As stated in Article 26(1), competent authorities may request increases or reductions in the frequency of this advanced testing.

As envisaged by DORA’s provisions, the purposes of advanced TLPT must be to ‘cover several or all critical or important functions of a financial entity’ and must ‘be performed on live production systems supporting such functions.’

Existing Models of TLPT

Article 26(11) of DORA stipulates that the RTS should be drafted in accordance with the present TIBER-EU framework (Framework for Threat Intelligence-Based Ethical Red Teaming). Representing the prominent mode of testing operational resilience, TIBER-EU essentially involves ‘red teams’ staging tests of ICT systems for possible risks and vulnerabilities. In effect, the testing is a simulation of a cyber-attack. Ahead of the testing, red teams are supplied with information by ‘white team’ members of an organization. ‘Blue teams’ are comprised of members of the organisation who are deliberately kept unaware of the testing.

Simulation exercises, or ‘war games,’ can be instructive in revealing the susceptibility of a system to cyber-risks. Similar approaches to resilience testing are utilised internationally. For instance, the Bank of England’s CBEST (Cyber Security Testing Framework) Threat Intelligence-Led Assessments are comparable to the TIBER-EU framework.

However, team-based testing can be a complex and often costly undertaking for organisations. By reserving the scope of the TLPT requirements to larger financial entities, DORA may be taking a sensible stance in easing the compliance burdens on financial institutions. Yet, because larger institutions are more likely to invest in innovative technologies, DORA’s testing requirements could become the next testing-ground for the use of AI applications.

AI’s Oversight of Cybersecurity—but who oversees AI?

The story of AI adoption in finance is chiefly characterised by slow, but steady, progress. As disclosed in recent Bank for International Settlements research (see particularly Aldasoro et al, BIS Paper No. 145, ‘Generative Artificial Intelligence and Cyber Security in Central Banking’, May 2024; available here), the use of AI applications is growing among central banks. The empirical findings show that most central banks have already adopted, or are planning to adopt, generative AI tools, especially in the context of cybersecurity. On the other hand, there is a prevalent expectation that further investment in generative AI will, in turn, require further substantial investment in trained staff with expertise in cybersecurity and AI programming.

As AI adoption permeates from the level of central banks across the wider financial services sector, it is very conceivable that AI will eventually execute the same functions as team-based TLPT. In the event of AI being used to fulfil financial entities’ testing requirements, the onus will be placed on DORA and its associated RTS to demonstrate an ability to adjust.

Moreover, there may be doubts as to how human oversight of AI-based system testing can be ensured. As it is, achieving human-in-the-loop supervision of AI tools and accomplishing explainability of AI outcomes are perennial problems of AI governance. Another layer of ambiguity may appear if AI assumes an oversight role which invariably tends to be the responsibility of human staff in cybersecurity. 

It is arguable as to whether the classification of high-risk systems in the EU’s AI Act, Regulation (EU) 2024/1689, could cover the use of AI for cybersecurity. A plausible perspective is that the use of AI in TLPT could be construed as high-risk by Annex III of the AI Act’s categorisation of ‘access to and enjoyment of essential private services.’ If so, the deployment of AI for system testing would have to satisfy the obligations on human oversight within Article 14 of the AI Act, insofar as AI testing applications ‘can be effectively overseen by natural persons during the period in which they are in use.’

The draft RTS on the DORA testing requirements will clearly need to be sufficiently flexible in responding to an impetus towards the use of AI by larger financial entities. A potential substitution of present TIBER-EU models, consisting of team-based testing, with AI applications would challenge the future-proof qualities of DORA. Furthermore, these changes would compel a re-appraisal of how differing elements of the EU’s legislative framework—specifically, DORA and the AI Act—are capable of fitting together to treat any regulatory gaps arising from evolving uses of AI.     

The author’s 2023 article can be accessed here.

A version of this post previously appeared in the Duke FinReg Blog. 

Jonathan McCarthy is a Lecturer at the School of Law, University College Cork, Ireland.