DORA Penetration Testing: TLPT Requirements for EU Financial Firms

• DORA EU’s Digital Operational Resilience Act now requires regular penetration testing for all financial firms, with advanced Threat-Led Penetration Tests TLPT for critical players.
• All major systems supporting critical functions must be tested annually, and hacking exercises on live environments with purple teaming must happen at least every 3 years.
• DORA’s TLPT is a realistic red team test guided by threat intelligence, far more rigorous than a standard pentest.
• To comply, firms should map their critical business functions, engage qualified external testers CREST accredited, scope the tests including key third parties, run the exercise, and promptly fix any findings.
• Skipping DORA tests risks regulatory penalties, meeting the mandate also strengthens defenses. DeepStrike’s penetration testing services can help financial firms meet DORA TLPT requirements and stay cyber resilient.

The Digital Operational Resilience Act DORA EU Regulation 2022/2554 took effect on January 17, 2025. In simple terms, DORA forces banks, insurers, payment firms, crypto providers, and other financial institutions to prove they can survive serious cyberattacks. That means hacking yourself on a schedule set by regulators. Specifically, all in scope firms must run robust penetration tests authorized attacks on their own systems as part of their resilience programs. For the most critical entities, DORA even mandates Threat-Led Penetration Testing TLPT a full scale, intelligence driven red team exercise. In this article, we explain what DORA penetration testing is, why it matters today, how TLPT under DORA differs from regular testing and from the ECB’s voluntary TIBER EU framework, and practical tips for compliance.

What Is DORA Penetration Testing?

Under DORA, penetration testing becomes a legal requirement, not just a best practice. Essentially, any financial institution within DORA’s scope must maintain an ICT resilience testing program. This means regularly finding and fixing security holes before attackers do. The tests must cover all systems that support critical or important functions a DORA defined term. A penetration test or pen test is a controlled simulated cyberattack on an organization’s computer systems, applications or network to uncover vulnerabilities. If you’re new to this, see our guide What is Penetration Testing? for an overview. For DORA compliance, the stakes are higher: regulators expect financial firms to apply multiple test methods, vulnerability scans, code reviews, network tests, etc. on a risk based schedule, then promptly remediate any findings. In practice, this means annual testing of key applications and infrastructure.

Crucially, DORA introduces Threat-Led Penetration Testing TLPT as an advanced option for top tier firms. TLPT is like a realistic red teaming exercise: experts use the latest threat intelligence to mimic the tactics of real cybercriminals or nation state hackers against live production systems. Unlike a one off automated scan, a TLPT is a multi week campaign involving reconnaissance, simulated attacks, and even a purple team debrief where attackers and defenders collaborate to learn lessons. The goal is to test not just technical controls but the firm’s entire ability to detect, respond, and recover under fire. In short, DORA’s definition of penetration testing now ranges from standard app/network pentests to these full scale TLPT scenarios.

Why DORA Penetration Testing Matters in 2025

Cyber threats against financial institutions are intensifying. Ransomware, supply chain attacks, and sophisticated data breaches can shake market confidence and disrupt economies. Regulators realized that simply holding capital reserves traditional risk buffers isn’t enough. DORA closes a gap: it forces firms to prove they can fend off and survive cyber incidents.

For 2025 and beyond, this is urgent. Recent surveys show industry is reacting: one report found 92% of CISOs increased their overall security budgets in 2023, and 85% upped their annual pentesting spend. That trend reflects regulators’ push: DORA means yes, hacking yourself is mandatory. Penetration tests and especially TLPT are now not optional best practices but legal obligations.

Meeting these mandates is not just red tape, it delivers real benefits. A thorough DORA aligned pentest uncovers hidden weaknesses in systems handling transactions or customer data, so you can fix them proactively. It boosts customer confidence, as you can demonstrate you are finding and fixing issues on an ongoing basis in fact, proof of regular testing may be requested by cyber insurers. It also satisfies upcoming audits: many firms will need to show regulators test records, reports, and remediation logs.

Global cybersecurity spending is surging. Gartner forecasted that companies will spend $188.3B on risk & security in 2023 an 11.3% increase year over year. Within that, penetration testing budgets are especially growing: security leaders know it’s impossible to fix blind spots without proactive testing. Under DORA, this trend is set in stone for the EU financial sector. For readers curious about the overall security landscape, see our article on top cybersecurity statistics. The bottom line: for 2025, neglecting pentesting isn’t an option if you want to stay in business or avoid fines.

DORA Penetration Testing Requirements

DORA defines a two tier testing regime:

• Regular ICT Testing All Firms: Every covered financial entity from banks to crypto exchanges must set up a risk based testing program. This means annually probing systems for vulnerabilities using a mix of methods. Examples include network scans, web app pentests, code reviews, phishing simulations, or physical drills. The idea is to tailor tests to what’s important: for example, a payment processor should include its transaction networks and APIs. Each critical or important function business process must be tested at least once per year. After a test, firms must document findings and fix issues promptly, tracking them to completion. Importantly, tests must be independent: either done by an external firm or by an internal team that is organizationally separate from regular IT ops. DORA even allows relying on external pen test certificates, as long as the testers were independent.
  • Internal vs External Testing: Some ask if DORA means you always need an outside team. In general, yes: regulators want objectivity. If you have an internal red team doing routine scans, you must ensure they’re structured to avoid conflicts e.g. they don’t test systems they also manage. Many organizations choose external penetration testing services for unbiased expertise. See our guide on difference between internal and external penetration tests for more on this point.
  • Frequency: The baseline is annual for each critical asset. However, DORA stresses a risk based approach if you roll out a big new system or suffer a breach, do another test rather than wait. Treat testing like vaccination: after a significant change or incident, go into emergency mode and run the appropriate pentests or red team drills.
• Threat-Led Penetration Testing TLPT Advanced Major Firms: Article 26 of DORA mandates that certain large or systemically important financial institutions must do TLPT at least every three years. These categories include, for example, global systemically important banks, massive payment/e money firms above €150B in transaction volume, major trading venues, big insurers, central counterparties, etc. Regulators will identify exactly who qualifies. If your firm falls into one of these lists, you need to schedule a TLPT campaign. In practice, this means once every 36 months unless your supervisor says otherwise.
  • TLPT is like the black box plus of pentesting. It’s defined as a full scale, realistic cyberattack simulation on live systems, with real risk taking that aims to steal data or disrupt services exactly as an adversary would. Crucially, TLPT is threat led: your test scenarios must be built on current threat intelligence the techniques of likely attackers to you. Article 26 and 27, along with the DORA RTS Regulatory Technical Standard, specify how TLPT must be done including scoping documents, mandatory purple team phases, reporting to regulators, and even dual vendor rules e.g. separate threat intel provider and red team provider.

In short, all DORA firms do regular annual tests, the big ones also do intense red team TLPT triennially. Think of basic pentesting vs TLPT like routine checkups vs a full body stress test. Table 1 below compares their key features:

DORA TLPT vs Traditional Penetration Testing

The distinctions above highlight why TLPT is considered more rigorous. It borrows the established TIBER EU framework, updated under DORA. In fact, the EU’s ECB has aligned TIBER EU with DORA requirements, so doing a DORA TLPT using the TIBER methodology will generally check all the compliance boxes. 

TLPT = advanced, intelligence driven red teaming on steroids. For more on differences between TLPT and a routine test, see our comparison Penetration Testing Methodology guide.

How to Conduct DORA Compliant Penetration Tests Step by Step

Here’s a practical checklist for firms under DORA:

1. Identify Critical Functions and Scope: Start by mapping your business’s critical or important functions also called CIFs. These are services or processes whose outage would hurt customers or the market e.g. payment clearing, trading engine, core banking. Then list all IT systems and third party services that support those functions. This scoping document is crucial for any DORA test. Regulators may want to review and approve the scope before a TLPT.
2. Select Qualified Testers: Engage a specialized team. For annual tests, any independent security firm or in-house team properly segregated will do. For TLPT, DORA strongly prefers external certified professionals. For example, CREST accredited providers are recognized for high standards. CREST itself emphasizes that TLPT must use highly qualified, reputable professionals. Ensure your testers have experience with financial sector systems and threat intel. If you do use internal red teams, remember DORA’s rule: at least one out of every three TLPT cycles must be done by outsiders.
3. Gather Threat Intelligence: Before launching the attack phase, collect threat intel specific to your sector. Identify likely adversaries, cybercrime groups, hacktivists, nation states targeting finance and their TTPs tactics/techniques. This informs your attack scenarios. DORA TLPT is threat led, meaning your simulated attack should mirror a real world campaign. For example, if phishing based breaches have spiked in your industry, ensure your red team tests phishing vectors. See our OAuth security best practices and SSRF attack examples content for common exploit patterns.
4. Define Rules of Engagement: Document clear rules. Agree what methods are allowed or off limits e.g. you might exclude physically destructive attacks. Decide on safe kill switches conditions to immediately stop the test like detection of unintended outages. Ensure business continuity: schedule the test when critical processes can handle some disruption or use realistic test accounts. DORA expects firms to manage TLPT risk, so demonstrating strong planning per TIBER EU guidance is key.
5. Execute the Test: Run the pentest or red team campaign. For routine tests, this might be a weekend vulnerability assessment or a multi day network pentest. For TLPT, the red team will stealthily attempt to breach your defenses over 12 weeks, using multiple vectors phishing, malware, zero days, etc.. Meanwhile, your blue team incident responders, SOC, operate normally, they should be unaware of the timeline, so their detection skills are truly tested. Document all findings: vulnerabilities exploited, data accessed, time taken to detect, etc.
6. Purple Teaming and Debrief: After the red team phase, conduct a purple team session. DORA now requires that the red attackers and blue defenders compare notes in a structured review. This helps your teams learn: the red team can explain how they breached defenses, and the blue team can validate detection coverage. Capture all lessons learned, update monitoring tools and response playbooks accordingly.
7. Report and Remediate: Produce reports tailored to different audiences. A technical report should detail every finding with evidence, risk level, CVSS scores, etc., and a concise executive summary should highlight key vulnerabilities and impacts. Critically, DORA requires that you not just report issues but fix them. Prioritize high/critical findings and apply patches or controls swiftly. Track fixes to completion and keep evidence. Regulators will likely ask for proof that vulnerabilities have been overcome.
8. Respond to Supervisors: If you’re TLPT designated, submit a summary of the test to your regulator as required by Article 27. This doesn’t have to reveal every secret detail, but it should note any show stopping gaps and how you will address them. Establishing trust with supervisors e.g. the ECB for major banks or national agencies for insurers is important. They may also coordinate joint examination teams for cross border firms to avoid duplicate tests.

Throughout this process, keep internal teams informed sans spoilers and document everything. Use tools or platforms if you have them some organizations use a continuous testing framework or a continuous penetration testing platform to track and automate parts of this cycle. And always align with recognized standards: following TIBER EU protocols ensures you cover DORA’s criteria.

Don’t treat DORA tests like checkboxes. For example, performing a quick scan and claiming we did a pentest won’t cut it. It’s not just about ticking the annual box, you need quality and follow through. Don’t ignore non technical controls either incident response processes and staff readiness count as part of resilience. And crucially, avoid using the same internal team without oversight. Regulators expect an objective third party at least periodically to validate your work.

Key Benefits of DORA Aligned Testing

• Stronger Security: By regularly exposing and fixing flaws in critical systems, firms become genuinely more secure. You’re less likely to be blind sided by a breach.
• Regulatory Peace of Mind: You can confidently show supervisors you meet EU law avoiding fines or sanctions. DORA non compliance can be punished under national laws e.g. Germany’s banking act fines for missing TLPT.
• Competitive Advantage: Customers and partners prefer financial institutions that take resilience seriously. Some may require certification or evidence of testing.
• Insurance Eligibility: Cyber insurers often ask for pentesting records. Being DORA compliant could make your risk profile more favorable and possibly lower premiums. See our penetration testing for cyber insurance eligibility guide.

DORA represents a paradigm shift: penetration testing is no longer optional in EU finance, it’s mandatory. Financial firms must build a continuous testing culture from automated vulnerability checks to full scale threat led war games to meet DORA’s requirements. Those who do will not only stay in the regulator’s good graces, but significantly beef up their cyber defenses. Ready to strengthen your defenses? The threats of 2025 demand action. If you need to validate your security posture, uncover hidden risks in your critical systems, or simply ensure compliance, DeepStrike can help. Our team of expert practitioners provides clear, actionable guidance to protect your business.

Explore our Penetration Testing Services to see how we can uncover vulnerabilities before attackers do. Drop us a line,we’re always ready to dive in.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

FAQs

• What is DORA penetration testing?

It’s the EU mandated requirement for financial firms to run structured cybersecurity tests. This includes routine vulnerability scans and pen tests each year, plus advanced red team exercises TLPT for critical institutions. The goal is to prove the firm can withstand serious cyberattacks under DORA rules.

• Who must do DORA TLPT Threat-Led Penetration Testing?

DORA specifies categories of large or systemically important entities, big banks, insurers, trading venues, etc.. If your regulator identifies you as in scope for TLPT, you have to run a threat led red team test at least once every 3 years. Smaller firms still must do basic pen testing annually but aren’t required to do TLPT unless designated. Micro enterprises very small firms are largely exempt.

• How is DORA TLPT different from a regular pentest?

TLPT is more intense and realistic. A typical pentest might be a 1- 2 week test of one app or network segment. A DORA TLPT lasts 3 months, targets the firm’s crown jewels e.g. payment engines, uses real attacker TTPs, and includes mandatory purple teaming at the end. Also, TLPT results are reported to regulators, whereas regular pentest reports normally stay internal.

• Can my internal team run the DORA TLPT?

DORA allows internal testers, but only if they’re truly independent, not maintaining those systems and have regulator approval. Even then, one in three TLPT rounds must be done by an external provider for quality control. In practice, using a certified external red team e.g. CREST certified is the safer choice.

• How often do we need to test under DORA?

For general pentesting, at least once per year for each critical system. For TLPT if applicable, at least once every 3 years. Remember, additional testing is recommended after major changes or incidents.

• What happens if we don’t comply?

Regulators can impose fines, force remediation, or take corrective actions. Since DORA is already in effect, supervisory exams will check testing records. Non compliance is now considered a serious breach of duty in most EU countries.

• How to choose a penetration testing provider for DORA?

Look for experience in financial cyber resilience and DORA/TIBER frameworks. CREST accreditation or OSCP/OSWE certifications are good signs. Ensure the firm offers the required TLPT components: threat intelligence, red teaming, purple teaming, and solid remediation reporting. See our Penetration Testing Services for how DeepStrike approaches DORA TLPT.