DORA Penetration Testing Requirements
The Digital Operational Resilience Act (DORA) is the EU regulation that sets uniform requirements for the security of network and information systems across the financial sector. It has applied since 17 January 2025, and penetration testing sits at the centre of its resilience testing obligations.
This guide breaks down what DORA requires for penetration testing, how threat-led penetration testing (TLPT) works under Articles 26 and 27, who is in scope, and how Budget Security delivers engagements built for supervisory review.
What DORA Requires for Resilience Testing
DORA is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. The third pillar (Chapter IV, Articles 24 to 27) is where penetration testing becomes a direct legal obligation for financial entities:
Article 24 - Testing Programme
Requires a sound, comprehensive digital operational resilience testing programme covering ICT tools and systems supporting critical or important functions
Article 25 - Test Methods
Explicitly lists vulnerability assessments, scans, and penetration testing among the required tests, performed at least yearly on critical systems
Articles 26-27 - TLPT
Mandates advanced threat-led penetration testing for significant entities, based on the TIBER-EU framework, at least every three years
Independence of Testers
Testing must be performed by independent, suitably qualified parties, with clear separation from the teams that build and run the systems
Supervisors expect financial entities to hold documented evidence that this testing programme is in place and effective. A recent penetration test report, mapped to the systems supporting your critical functions, is one of the strongest pieces of evidence you can present.
Threat-Led Penetration Testing (TLPT) Under DORA
For financial entities identified as significant, DORA goes beyond standard penetration testing and requires threat-led penetration testing. TLPT simulates a real, intelligence-led attack against live production systems:
Article 26 - Advanced Testing Obligation
Significant financial entities must carry out threat-led penetration testing at least every three years. The test covers several or all critical or important functions and is performed on live production systems, closely mirroring how a genuine adversary would operate.
TIBER-EU Alignment
DORA's TLPT requirements are based on the TIBER-EU framework. Tests use threat intelligence to design realistic attack scenarios, combining reconnaissance, exploitation, and lateral movement against the entity's people, processes, and technology.
Tester Requirements
TLPT must be conducted by testers with proven expertise in threat intelligence and offensive security, meeting DORA's independence and competence criteria. Findings feed directly into the entity's ICT risk management and remediation processes.
DORA Scope and Testing Timeline
Understanding whether you are in scope, and which testing tier applies, determines how you plan your penetration testing programme:
Who is in scope
Banks, payment and e-money institutions, investment firms, insurers, crypto-asset service providers, and other EU financial entities, plus their critical ICT third-party providers.
Standard testing tier
All in-scope entities must run vulnerability assessments and penetration tests on ICT systems supporting critical or important functions at least once a year.
Advanced tier (TLPT)
Entities designated significant by their competent authority must additionally perform threat-led penetration testing at least every three years.
Evidence and review
DORA has applied since 17 January 2025. Entities must retain test results, remediation plans, and validation evidence for supervisory review.
Even if your entity is not designated significant, a strong annual penetration testing programme is the baseline DORA expects, and the foundation you would build on if you later fall in scope for TLPT.
How Budget Security Helps You Comply with DORA
Budget Security delivers penetration testing built for financial entities working to meet DORA's resilience testing obligations. Our platform lets you define scope and launch engagements on your timeline, starting at EUR 849 per day.
Scope around your critical functions
Use our online scoping tool to define which applications, networks, and APIs support your critical or important functions, so testing covers exactly what DORA cares about.
Testing by qualified offensive security engineers
Our testers hold recognized offensive security certifications (OSCP, OSWE) and follow OWASP, PTES, and NIST SP 800-115 methodologies aligned with DORA and TIBER-EU expectations.
Supervisor-ready reporting
Every report maps findings to the systems supporting your critical functions, includes CVSS v3.1 scores, exploitation evidence, and remediation steps, formatted for supervisory review.
Remediation tracking and retesting
Monitor fix progress through our vulnerability dashboard. After remediation, we retest to confirm issues are resolved, giving supervisors documented proof of resilience.
Get Your DORA Pentest Quote
See exactly what your DORA-aligned penetration test would cost. Reports map findings to the systems supporting your critical functions so supervisors can trace evidence to your resilience testing programme.