Understand DORA’s Digital Operational Resilience Testing Requirements
The Digital Operational Resilience Act (DORA) has fundamentally changed how financial entities across the European Union manage cyber resilience.
Effective since 17 January 2025, DORA establishes a harmonized framework for ICT risk management, operational resilience, incident reporting, third-party risk management, and resilience testing across the financial sector. (EUR-Lex)
One of the most discussed aspects of DORA is penetration testing.
Many organizations ask:
- Does DORA require penetration testing?
- What is Threat-Led Penetration Testing (TLPT)?
- Who must perform TLPT?
- How often should testing occur?
- How should organizations prepare?
This guide explains DORA’s testing requirements, how penetration testing supports compliance, and what financial entities should do to strengthen their digital operational resilience.
Request a DORA Penetration Testing Assessment
What Is DORA?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) establishes a unified cybersecurity and ICT risk management framework for regulated financial entities across the European Union.
Its objective is straightforward:
Ensure financial institutions can withstand, respond to, recover from, and learn from ICT-related disruptions and cyberattacks. (EUR-Lex)
Rather than focusing solely on preventing attacks, DORA emphasizes operational resilience—ensuring organizations continue delivering critical financial services even during significant cyber incidents.
Who Must Comply with DORA?
DORA applies to a broad range of financial entities, including:
- Credit institutions
- Payment institutions
- Electronic money institutions
- Investment firms
- Insurance and reinsurance undertakings
- Crypto-asset service providers (CASPs)
- Central securities depositories
- Trading venues
- Fund managers
- Credit rating agencies
- ICT third-party providers supporting critical financial services
The regulation covers more than twenty categories of financial entities operating within the European Union. (EUR-Lex)
Does DORA Require Penetration Testing?

Yes—but not in the same way for every organization.
DORA establishes a risk-based digital operational resilience testing programme for all in-scope financial entities.
Testing may include:
- Vulnerability assessments
- Open-source analyses
- Network security assessments
- Gap assessments
- Scenario-based testing
- Compatibility testing
- Performance testing
- End-to-end penetration testing
For a designated subset of higher-risk financial entities, DORA also requires Threat-Led Penetration Testing (TLPT) under Article 26. Those entities are identified by their competent authority based on criteria such as systemic importance and ICT risk profile. (EUR-Lex)
What Is Dora Threat-Led Penetration Testing (TLPT)?
Threat-Led Penetration Testing represents the most advanced form of resilience testing under DORA.
Unlike traditional penetration testing, TLPT uses current threat intelligence to emulate realistic attacks against live production environments.
The objective isn’t simply to identify vulnerabilities.
Instead, TLPT evaluates whether an organization can:
- Detect sophisticated attackers
- Respond effectively
- Protect critical business services
- Recover from realistic cyberattacks
The detailed requirements for TLPT—including scope, methodology, tester qualifications, remediation, and supervisory cooperation—are specified in the DORA Regulatory Technical Standards (RTS). (European Banking Authority)
DORA Penetration Testing vs Threat-Led Penetration Testing
Many organizations confuse these concepts.
| DORA Penetration Testing | DORA TLPT |
|---|---|
| Applies within the broader resilience testing programme | Applies only to designated financial entities |
| Risk-based testing | Intelligence-led adversary simulation |
| Validates technical controls | Validates operational resilience against realistic attackers |
| Can include traditional penetration testing | Simulates sophisticated threat actors in production |
| Supports ongoing compliance | Required only where mandated by the competent authority |
Understanding this distinction is essential when planning a DORA compliance programme.
How Penetration Testing Supports DORA Compliance
Even where TLPT is not mandatory, penetration testing remains one of the most effective ways to validate security controls.
Independent penetration testing helps organizations:
Validate ICT Security Controls
Confirm whether technical controls operate effectively against realistic attack techniques.
Identify Exploitable Weaknesses
Discover vulnerabilities before they are exploited by malicious actors.
Strengthen Operational Resilience
Evaluate how security teams detect, respond to, and recover from attacks.
Support Risk Management
Provide evidence that cyber risks are being identified, assessed, and appropriately managed.
Demonstrate Continuous Improvement
Show regulators, auditors, and stakeholders that resilience testing forms part of an ongoing security programme.
Types of Penetration Testing Under DORA
Organizations commonly perform:
External Penetration Testing
Internet-facing infrastructure
Internal Penetration Testing
Corporate networks
Web Application Testing
- Online banking platforms
- Customer portals
- Financial applications
API Security Testing
- Open Banking APIs
- Payment APIs
- Partner integrations
Cloud Penetration Testing
- Azure
- AWS
- Google Cloud
- Microsoft 365
Identity Security Assessments
- Microsoft Entra ID
- Active Directory
- Privileged Access Management
Preparing for DORA Threat-Led Penetration Testing
Preparation begins long before testing starts.
Organizations should:
- Identify critical business services.
- Maintain an accurate inventory of ICT assets.
- Define testing objectives.
- Review third-party dependencies.
- Ensure logging and monitoring are operational.
- Establish incident response procedures.
- Assign clear internal stakeholders.
- Document remediation processes.
Strong preparation leads to more meaningful resilience testing outcomes.
Choosing a DORA Threa-Led Penetration Testing Provider
Not every penetration testing company is equipped to support DORA initiatives.
Look for providers with:
- Financial sector experience
- Offensive security expertise
- Knowledge of DORA and TLPT
- Cloud security experience
- Identity security expertise
- Clear reporting methodologies
- Remediation support
- Experience aligning assessments with recognized frameworks such as MITRE ATT&CK
Strengthen Your DORA Compliance with Bluefire Redteam
Building digital operational resilience requires more than policies—it requires testing your defenses against realistic cyber threats.
Bluefire Redteam helps financial institutions validate their security controls through expert penetration testing, adversary simulation, and Red Team engagements aligned with modern regulatory expectations.
Whether you’re preparing for DORA compliance, strengthening ICT resilience, or planning future TLPT readiness, our offensive security specialists can help you identify and remediate exploitable weaknesses before attackers do.
Talk to Our DORA Security Specialists
Frequently Asked Questions - Dora TLPT
- Does DORA require penetration testing?Yes. DORA requires financial entities to implement a digital operational resilience testing programme. The specific testing activities depend on the organization's risk profile and regulatory obligations.
- Is Threat-Led Penetration Testing mandatory?Only for designated financial entities identified by their competent authority under Article 26 and the associated Regulatory Technical Standards.
- How often should penetration testing be performed?DORA adopts a risk-based approach. Testing frequency should reflect the organization's ICT risk profile, critical services, and regulatory expectations. For designated entities, TLPT follows the cadence defined in the regulation and related technical standards.
- What's the difference between vulnerability assessments and penetration testing?Vulnerability assessments identify potential weaknesses, while penetration testing validates whether those weaknesses can be exploited and what impact successful exploitation could have.