DORA Pen Testing Requirements: What Financial Organisations Need to Know

June 2, 2026
Posted by: Gradeon
Categories: Consulting, Compliance

The Digital Operational Resilience Act (DORA) has introduced some of the most comprehensive cyber resilience requirements ever applied to the financial sector. While many organisations focus on governance, incident reporting, and third-party risk management, penetration testing is one of the most critical technical requirements under the regulation.

Understanding DORA penetration testing requirements is essential for banks, payment providers, investment firms, insurers, and other regulated financial entities operating within the European Union. Failure to meet testing obligations can expose organisations to compliance risks, security weaknesses, and increased regulatory scrutiny.

What Are DORA Pen Testing Requirements?

DORA requires financial entities to establish a comprehensive digital operational resilience testing programme designed to assess their ability to withstand, respond to, and recover from cyber threats. The regulation places significant emphasis on testing critical systems, applications, and operational processes to identify weaknesses before attackers can exploit them.

Testing requirements under DORA are risk-based. This means organisations must perform testing activities that reflect their size, complexity, threat landscape, and critical business functions.

The objective is not simply to identify vulnerabilities. Regulators want financial organisations to demonstrate operational resilience by validating security controls, detection capabilities, response processes, and recovery procedures.

Does DORA Require Penetration Testing?

Yes. DORA explicitly requires financial entities to conduct regular security testing, including vulnerability assessments and penetration testing. Certain significant institutions must also perform Threat-Led Penetration Testing (TLPT), which is a more advanced form of testing based on real-world threat intelligence.

The exact testing programme should be proportionate to the organisation’s risk profile and critical services.

Typical DORA testing activities include:

Vulnerability assessments
Network penetration testing
Web application penetration testing
Mobile application testing
Security configuration reviews
Red team exercises
Threat-led penetration testing
Scenario-based resilience testing

Many organisations already perform some of these activities. However, DORA raises expectations around documentation, governance, testing frequency, remediation, and evidence collection.

What Is Threat-Led Penetration Testing (TLPT)?

Threat-Led Penetration Testing is the most demanding testing requirement under DORA. Unlike traditional penetration testing, TLPT simulates realistic attacks conducted by sophisticated threat actors against live production environments. The testing is driven by intelligence about genuine adversaries and their tactics, techniques, and procedures (TTPs).

TLPT aims to evaluate:

Detection capabilities
Incident response effectiveness
Security monitoring processes
Communication procedures
Operational resilience
Recovery capabilities

The testing follows the TIBER-EU framework or an equivalent recognised methodology. Organisations designated by supervisory authorities must complete TLPT exercises at least every three years.

For many institutions, TLPT represents a significant shift from conventional security assessments because it evaluates people, processes, and technology together rather than focusing solely on technical vulnerabilities.

Which Organisations Must Conduct TLPT?

Not every organisation covered by DORA will be required to perform Threat-Led Penetration Testing.

Supervisory authorities determine which financial entities must undertake TLPT based on factors such as:

Systemic importance
ICT risk exposure
Critical business functions
Operational impact
Reliance on third-party providers

Generally, larger and more significant financial institutions are more likely to fall within the scope of mandatory TLPT requirements.

Smaller organisations may still be required to perform regular penetration testing and vulnerability assessments, even if they are not selected for TLPT.

Key Components of a DORA-Compliant Penetration Testing Programme

To align with DORA requirements, organisations should establish a structured testing framework that includes the following elements.

Risk-Based Testing Strategy

Testing activities should prioritise critical assets, systems, and business functions. Organisations must demonstrate that testing efforts are aligned with their ICT risk management framework.

Independent Testing

Testing should be conducted by qualified and independent security professionals. External testing providers are often used to ensure objectivity and credibility.

Businesses looking to improve testing maturity may also benefit from understanding Penetration Testing vs Red Teaming: Which Does Your Business Need? when selecting the most appropriate assessment approach.

Defined Scope

Testing should cover:

Internal networks
External infrastructure
Cloud environments
Web applications
Mobile applications
Critical third-party dependencies

Remediation and Retesting

Identifying vulnerabilities is only the first step. DORA expects organisations to address findings promptly and verify that remediation actions have been successfully implemented.

Documentation and Reporting

Organisations must maintain evidence of testing activities, findings, remediation plans, and outcomes. This documentation may be requested during regulatory reviews or audits.

Common Challenges in Meeting DORA Pen Testing Requirements

Many organisations face difficulties when preparing for DORA compliance.

Common challenges include:

Incomplete Asset Visibility

Without a complete inventory of systems, applications, and third-party services, it is difficult to define an effective testing scope.

Third-Party Risk

DORA places strong emphasis on ICT third-party providers. Organisations must understand how vendor systems and services affect operational resilience.

This is closely related to Third-Party Vendor Security: A Practical Guide for UK Businesses and broader supply chain security considerations.

Resource Constraints

Advanced testing exercises, particularly TLPT engagements, require specialist expertise, planning, and coordination.

Remediation Delays

Security assessments often identify more issues than teams can immediately address. Organisations need clear prioritisation and governance processes to manage remediation effectively.

How to Prepare for DORA Penetration Testing

Organisations preparing for DORA compliance should begin with a structured assessment of their current testing capabilities.

Recommended steps include:

Identify critical business functions and supporting systems.
Review existing penetration testing programmes.
Evaluate third-party risk exposure.
Establish testing governance and reporting procedures.
Define remediation workflows.
Assess readiness for TLPT requirements where applicable.
Maintain evidence for regulatory reviews.

Businesses that have not recently reviewed their security testing programme may also benefit from conducting an Anatomy of a Penetration Test in UK style assessment to understand coverage gaps and maturity levels.

Frequently Asked Questions

Is penetration testing mandatory under DORA?

Yes. DORA requires financial entities to perform security testing activities, including penetration testing, as part of their digital operational resilience framework.

How often must DORA penetration testing be performed?

Testing frequency should be based on risk and organisational requirements. Significant entities required to conduct TLPT must generally complete testing at least every three years.

What is the difference between penetration testing and TLPT?

Traditional penetration testing focuses on identifying vulnerabilities in systems and applications. TLPT simulates realistic attacks against live environments to assess overall organisational resilience, including detection and response capabilities.

Can external providers conduct DORA testing?

Yes. Independent and qualified external security providers are commonly used to perform DORA-related testing activities, including penetration testing and TLPT exercises.

Final Thoughts

DORA has transformed penetration testing from a technical security exercise into a core component of operational resilience. Financial organisations must move beyond simple vulnerability identification and demonstrate their ability to withstand realistic cyber threats.

By implementing a structured testing programme, addressing identified weaknesses, and preparing for advanced assessments such as TLPT, organisations can strengthen both regulatory compliance and cyber resilience while reducing the likelihood of operational disruption.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.