Finance News

DORA Testing Guide

12/05/2025
admin

System administrator doing diagnostic tests on computer servers

This article provides a high-level view of what covered financial entities (more or less any FSI firm trading within the EU) need to know about DORA testing.

Under the Digital Operational Resilience Act (DORA), there are new cybersecurity testing requirements that your internal IT/security team and any external consultants you contract with need to know.

Financial entities operating within the EU or with EU-based customers will have to regularly test their ICT systems to stay compliant with DORA.

DORA testing can be divided into two core types:

  1. General testing.
  2. Red teaming.

We’ve summarised these in the table below to show you these DORA testing requirements at a glance.

DORA testing type What It Involves Who It’s For
Testing Standard penetration testing, vulnerability scanning, source code review. All financial entities.
Red Teaming (TLPT) Threat intelligence-led red team style testing using real-world attack simulation. Critical financial entities designated by national authorities.

 

Confusingly, intelligence-led red teaming under DORA is actually called “Threat-Led Penetration Testing” or “TLPT” for short.

DORA Operational Resilience Testing

Over 10,000 companies in the EU are estimated to fall within DORA’s scope. Many firms within other jurisdictions, like the UK, will also have to comply with DORA.

The DORA requirements they need to follow are extensive, but can be broken down into five core pillars:

  1. ICT risk management.
  2. ICT-related incident management, classification and reporting.
  3. Managing of ICT third-party risk.
  4. Information-sharing arrangements.
  5. Digital operational resilience testing.

The last of these, operational resilience testing, covers DORA pen testing and red teaming requirements.

We can subdivide this pillar’s DORA operational resilience testing requirements into two core types:

1. Standard DORA testing that every covered entity must do

The basic message of DORA is that ALL covered entities are expected to test for vulnerabilities and attack pathways regularly and thoroughly.

For some FSI firms, this means continuing with the standard tests they might already be doing, including vulnerability assessments, network security testing, and penetration testing.

For others, it may require building new capabilities. Smaller or less mature firms may need to enhance or formalise their testing under DORA.

DORA mandates “regular testing” proportionate to the entity’s size, complexity, and risk exposure. This typically includes vulnerability assessments and, in many cases, penetration testing (such as network penetration testing).

2. What Threat-Led Penetration Testing (TLPT) Means for Critical Entities

Critical financial infrastructure and services (as designed by nationally relevant financial regulators) need to do another kind of testing – Threat-Led Penetration Testing (TLPT).

These advanced tests are like red teaming exercises and must be conducted every three years. 

We can now confirm (as of April 2025) that they are aligned to the TIBER-EU tests. This means that the same methodology can be followed and that a TIBER-EU test can be used as proof of DORA compliance.

The important thing to note about TLPTs is that they must be delivered by an independent party, regardless of whether you use an internal or external team to do the actual testing and adhere to a risk-based approach.

You also need procedures to fix anything that comes up during a Threat-Led Penetration Test and report key findings to the relevant authority.

Who Can Conduct DORA Pen Testing and Red Teaming?

TLPT is typically done by a third party, e.g., a DORA consultant outside your organisation.

It is possible to use internal testers for TLPTs. However, doing so needs the approval of a competent authority under the DORA legislation, such as your country’s central bank.

Penetration testing and other testing types (like vulnerability scanning) are also often best done by an external party like an EU or UK-based penetration services provider.

Just make sure to look not just at the price of a penetration test, but also ensure that any provider you get for DORA testing is:

  • Reputable.
  • Technically capable.
  • Accredited.
  • Has professional indemnity insurance.

Pro dora testing tip: Look for CREST-approved pen testing firms.

How Often Should Standard Testing and Advanced TLPT Be Conducted?

Under DORA, standard ICT testing (including vulnerability assessments and penetration testing) must be done regularly, and at least annually is generally expected for most covered entities.

For critical financial entities, DORA requires Threat-Led Penetration Testing (TLPT) to be performed at least once every three years.

While these are the minimums, it’s best practice to go beyond this, especially when:

  • Deploying new systems.
  • Making significant updates to public-facing infrastructure.
  • Modifying high-risk or mission-critical environments.

Consider additional testing methods, such as purple teaming and targeted red teaming exercises, to enhance detection and response readiness beyond the baseline requirements.

Disclaimer: This article contains sponsored marketing content. It is intended for promotional purposes and should not be considered as an endorsement or recommendation by our website. Readers are encouraged to conduct their own research and exercise their own judgment before making any decisions based on the information provided in this article.

#DORA #Testing #Guide