Skip to main content
    Regulation (EU) 2022/2554
    ·By Budget Security

    DORA Penetration Testing Requirements

    The Digital Operational Resilience Act (DORA) is the EU regulation that sets uniform requirements for the security of network and information systems across the financial sector. It has applied since 17 January 2025, and penetration testing sits at the centre of its resilience testing obligations.

    This guide breaks down what DORA requires for penetration testing, how threat-led penetration testing (TLPT) works under Articles 26 and 27, who is in scope, and how Budget Security delivers engagements built for supervisory review.

    What DORA Requires for Resilience Testing

    DORA is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. The third pillar (Chapter IV, Articles 24 to 27) is where penetration testing becomes a direct legal obligation for financial entities:

    Article 24 - Testing Programme

    Requires a sound, comprehensive digital operational resilience testing programme covering ICT tools and systems supporting critical or important functions

    Article 25 - Test Methods

    Explicitly lists vulnerability assessments, scans, and penetration testing among the required tests, performed at least yearly on critical systems

    Articles 26-27 - TLPT

    Mandates advanced threat-led penetration testing for significant entities, based on the TIBER-EU framework, at least every three years

    Independence of Testers

    Testing must be performed by independent, suitably qualified parties, with clear separation from the teams that build and run the systems

    Supervisors expect financial entities to hold documented evidence that this testing programme is in place and effective. A recent penetration test report, mapped to the systems supporting your critical functions, is one of the strongest pieces of evidence you can present.

    Threat-Led Penetration Testing (TLPT) Under DORA

    For financial entities identified as significant, DORA goes beyond standard penetration testing and requires threat-led penetration testing. TLPT simulates a real, intelligence-led attack against live production systems:

    Article 26 - Advanced Testing Obligation

    Significant financial entities must carry out threat-led penetration testing at least every three years. The test covers several or all critical or important functions and is performed on live production systems, closely mirroring how a genuine adversary would operate.

    TIBER-EU Alignment

    DORA's TLPT requirements are based on the TIBER-EU framework. Tests use threat intelligence to design realistic attack scenarios, combining reconnaissance, exploitation, and lateral movement against the entity's people, processes, and technology.

    Tester Requirements

    TLPT must be conducted by testers with proven expertise in threat intelligence and offensive security, meeting DORA's independence and competence criteria. Findings feed directly into the entity's ICT risk management and remediation processes.

    DORA Scope and Testing Timeline

    Understanding whether you are in scope, and which testing tier applies, determines how you plan your penetration testing programme:

    Who is in scope

    Banks, payment and e-money institutions, investment firms, insurers, crypto-asset service providers, and other EU financial entities, plus their critical ICT third-party providers.

    Standard testing tier

    All in-scope entities must run vulnerability assessments and penetration tests on ICT systems supporting critical or important functions at least once a year.

    Advanced tier (TLPT)

    Entities designated significant by their competent authority must additionally perform threat-led penetration testing at least every three years.

    Evidence and review

    DORA has applied since 17 January 2025. Entities must retain test results, remediation plans, and validation evidence for supervisory review.

    Even if your entity is not designated significant, a strong annual penetration testing programme is the baseline DORA expects, and the foundation you would build on if you later fall in scope for TLPT.

    How Budget Security Helps You Comply with DORA

    Budget Security delivers penetration testing built for financial entities working to meet DORA's resilience testing obligations. Our platform lets you define scope and launch engagements on your timeline, starting at EUR 849 per day.

    1

    Scope around your critical functions

    Use our online scoping tool to define which applications, networks, and APIs support your critical or important functions, so testing covers exactly what DORA cares about.

    2

    Testing by qualified offensive security engineers

    Our testers hold recognized offensive security certifications (OSCP, OSWE) and follow OWASP, PTES, and NIST SP 800-115 methodologies aligned with DORA and TIBER-EU expectations.

    3

    Supervisor-ready reporting

    Every report maps findings to the systems supporting your critical functions, includes CVSS v3.1 scores, exploitation evidence, and remediation steps, formatted for supervisory review.

    4

    Remediation tracking and retesting

    Monitor fix progress through our vulnerability dashboard. After remediation, we retest to confirm issues are resolved, giving supervisors documented proof of resilience.

    Get Your DORA Pentest Quote

    See exactly what your DORA-aligned penetration test would cost. Reports map findings to the systems supporting your critical functions so supervisors can trace evidence to your resilience testing programme.

    DORA Penetration Testing FAQ

    Does DORA require penetration testing?
    Yes. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) requires financial entities to run a digital operational resilience testing programme that explicitly includes vulnerability assessments and penetration testing on ICT systems supporting critical or important functions, at least once a year. Significant entities must also perform advanced threat-led penetration testing (TLPT).
    What is threat-led penetration testing (TLPT) under DORA?
    TLPT is an advanced, intelligence-led form of penetration testing required by DORA Articles 26 and 27. It simulates the tactics, techniques, and procedures of real threat actors against a financial entity's live production systems. It is based on the TIBER-EU framework and must be carried out at least every three years by testers meeting strict independence and competence requirements.
    Who has to comply with DORA testing requirements?
    DORA applies to a broad set of EU financial entities, including banks, payment institutions, investment firms, insurers, crypto-asset service providers, and their critical ICT third-party providers. The basic testing programme applies to all in-scope entities; the advanced TLPT obligation applies to entities identified by regulators as significant based on their systemic importance and risk profile.
    When did DORA start applying?
    DORA entered into force on 16 January 2023 and has applied since 17 January 2025. Financial entities are now expected to have a documented resilience testing programme in place, with penetration testing evidence available for supervisory review.
    How often does DORA require penetration testing?
    The general resilience testing programme, including vulnerability assessments and penetration tests on critical ICT systems, must run at least annually. Threat-led penetration testing (TLPT) for significant entities must be conducted at least once every three years, or more frequently where the entity's risk profile requires it.
    How much does a DORA penetration test cost?
    A DORA-aligned penetration test with Budget Security starts at EUR 849 per day. Total cost depends on the number of applications, network segments, and APIs supporting your critical functions. Use our pricing page to calculate an estimate tailored to the systems in your DORA testing scope.