Regulation Meets Reality – DORA as a Driver of Digital Resilience

As digitalization in the financial sector continues to advance, risks arising from cyberattacks, system outages, and complex supply chains are increasing. The EU Regulation on Digital Operational Resilience (DORA, EU 2022/2554) requires all financial institutions and relevant ICT service providers within the EU/EEA to regularly and systematically test the resilience of their systems starting in 2025.

Many of these requirements are not new in substance, but DORA makes them mandatory, verifiable, and auditable. And one thing quickly becomes clear in practice:

Professional test data management is an integral part of these changes.

Regulatory Core Requirements for Testing

DORA requires robust testing of:

• Restart and recovery
• Scalability and performance
• Application behavior under stress
• Verifiable processes and documentation

At the same time, the General Data Protection Regulation (GDPR) prohibits the use of real production data in test environments creating a central conflict that professional test data management tools resolve.

• Unmasked production data is prohibited
• Production systems must not be additionally burdened
• Test environments must be audit-proof

The key lies in a multi-stage test architecture: from production-like clones to targeted partial copies.

The UBS Hainer Test Data Management Suite in the DORA Context

DORA is built on five pillars, including:

• Risk Management
• Incident Management
• Resilience Testing
• Third-Party Risk Management
• Information Sharing

UBS Hainer provides three tools that have become established in the financial sector for DORA compliance:

BCV4: Production-Identical DB2 Clones for Resilience and Recovery Tests

BCV4 creates complete clones of DB2 subsystems or data sharing groups, including all structures, authorizations, and metadata.

Strengths in the DORA environment:

• FlashCopy-based Cloning
• No impact on the production environment
• Enables realistic testing of member failover, coupling facility outages, recovery and conditional restart, performance and load testing, as well as configuration and schema change tests
• Point-in-time recovery

BCV4 is therefore optimal for provisioning environments, while actual test data preparation is performed using BCV5 or XDM.

XDM: Data Masking and Generation with AI Support

XDM is the most powerful tool for complex masking and anonymization requirements.

What distinguishes XDM:

• High-quality masking algorithms for personal data and referential dependencies
• Lookup tables for realistic test data
• Synthetic data generation without any access to production systems
• LLM support to generate synthetic, production-like data structures

XDM is the solution for Command Query Responsibility Segregation (CQRS), GDPR, data governance, and resilience testing requirements.

BCV5: Fast, Flexible, and Powerful Masking Capabilities

BCV5 copies tables, tablespaces or entire schemas with high performance up to 10 times faster than traditional unload/load processes.

Advantages for DORA requirements:

• Multiple test environments (e.g., for unit, integration, and functional tests) can be built in parallel
• Subsets can be generated for security testing
• No runtime impact on productive workloads

BCV5 is ideally suited for recurring tests, parallel development streams, and smaller test environments.

How the DORA-Compliant Test Architecture Works with UBS Hainer

The following diagram illustrates a multi-stage, DORA-compliant test data concept:

The starting point is the production environment, where DORA-mandated Threat-Led Penetration Testing (TLPT)/live penetration tests must be performed and no separate test data setup is possible here. BCV4 then creates a 1:1 clone of the entire DB2 system from full system backups or directly via FlashCopy (own volumes, cloned catalog/directory, identical objects and structures). This clone still contains real production data and may therefore only be used for strictly regulated purposes, such as realistically testing recoverability from backups (including conditional restart) and determining actual runtimes for full recovery.

In the next step, this clone is fully masked using XDM (or BCV5), creating a production-like and data-protection-compliant master test environment: the same amount of data and the same DB2/data sharing structure, but without usable personal references. From this masked master copy, BCV5 (or XDM) then selectively creates additional test environments, specific schemas or partial datasets for unit, integration, acceptance, performance, or authorization tests and if required, multiple times and by renaming schemas within the same DB2 system.

This approach results in only one strictly controlled access point to production data (during the initial clone). All downstream test environments are automatically GDPR- and DORA-compliant while enabling realistic resilience and application testing.

Practical Examples from the Financial Industry

The following examples illustrate how DORA-compliant test data management is applied in real-world scenarios across different segments of the financial industry.

Banks: Scenario Testing for Payment Resilience

Banks regularly simulate operational disruptions, such as cyberattacks. Meaningful resilience testing is only possible if target test environments reflect real data volumes, structures, and dependencies.

Without realistic and legally compliant test data, recovery, failover, and continuity tests provide only limited insight into actual operational resilience.

Compliance officers must ensure that tests:

• Use realistic transaction data sequences
• Apply data masking to protect customer data
• Maintain consistency across core banking, CRM, and reporting systems

BCV5 and XDM generate complete, auditable masking reports, that’s an essential advantage for compliance.

Insurance Companies: Stress Tests in Claims Management

Insurers simulate exceptional claim loads to test system resilience. This requires:

• Realistic contract and claims datasets
• End-to-end validation of workflows across multiple platforms
• Compatibility between legacy and cloud systems

XDM delivers realistic, structured, and documented test data regardless of origin.

Investment Management: System Continuity Testing

Asset managers must ensure the continuity of their portfolio and trading systems by:

• Simulating outages of order management or market data feeds
• Executing recovery scenarios for delayed settlements and NAV calculations
• Ensuring data integrity and synchronization between fund accounting, compliance, and risk systems

BCV4 and XDM support full data integrity in these scenarios.

Integration into Existing Security and Automation Processes

XDM and BCV can be integrated via APIs and automation frameworks into CI/CD pipelines, SIEM systems, and existing test tools. This makes test data management a native component of operational resilience and not just a compliance task.

Conclusion: Professional Test Data Management Facilitates DORA Readiness

With BCV4, XDM, and BCV5, DORA-compliant testing can be implemented efficiently, scalably, and in an audit-proof manner. Organizations that approach DORA correctly gain more stable systems, better testing and, as a result, greater trust both internally and externally.