DORA

Operational Resilience Testing Under DORA

4 min readUpdated 24 June 2026

DORA mandates digital operational resilience testing for all financial entities. The regulation creates a two-tier framework: basic resilience testing required for all entities, and Threat-Led Penetration Testing (TLPT) required for significant entities. Understanding which tier applies to your organisation and what the testing must cover is foundational to DORA compliance.

The Two-Tier Testing Framework

Tier 1: Basic Resilience Testing (All Financial Entities)

All DORA-regulated financial entities must maintain a basic digital operational resilience testing programme. This must include (Article 25):

Vulnerability assessments and scans:

  • Regular scanning of all ICT systems for known vulnerabilities
  • Open-source and network vulnerability scanning
  • Application vulnerability assessments
  • Documented results and remediation tracking

Open-source analyses:

  • Assessment of open-source components in the technology stack
  • Software composition analysis (SCA) to identify known vulnerabilities in dependencies

Network security assessments:

  • Network segmentation testing
  • Firewall ruleset reviews
  • Wireless security assessments

Gap analyses:

  • Comparison of current security posture against DORA requirements and recognised standards
  • Remediation planning for identified gaps

Penetration testing:

  • Scenario-based testing against attack scenarios relevant to the financial sector
  • Annual frequency at minimum for critical systems
  • Must cover production systems or realistic representations

Physical security reviews:

  • Assessment of physical access controls to data centres and critical infrastructure

Tier 2: Threat-Led Penetration Testing (Significant Entities Only)

TLPT is a more advanced, intelligence-driven penetration test based on real threat intelligence relevant to the specific entity. It is required for:

  • Significant financial entities — determined by competent authorities based on size, systemic importance, nature of activities, and risk profile

TLPT under DORA (Article 26 and related RTS) is based on the TIBER-EU framework developed by the European Central Bank.

What TLPT Involves

TLPT is fundamentally different from standard penetration testing:

Intelligence-driven: The attack scenarios are derived from real threat intelligence about actual threat actors targeting financial entities. A threat intelligence provider prepares a specific threat intelligence report for the entity.

Red team approach: An advanced red team simulates a sophisticated attacker, typically attempting to reach the entity's critical functions. Unlike standard pen tests that focus on finding vulnerabilities, TLPT tries to achieve realistic attack objectives.

Purple team validation: Following the red team exercise, a purple team process validates findings and confirms whether defensive controls detected and responded correctly.

Scope: critical functions and systems: TLPT targets the entity's most critical functions — payment processing, core banking systems, identity infrastructure. Not a general network sweep.

Live production systems: TLPT is conducted in the live production environment, not just staging or test environments. This requires extensive coordination and careful scoping to avoid service disruption.

Timeline: 3–12 months for a full TLPT cycle, depending on complexity. This is a significant operational undertaking.

TLPT Frequency

The RTS under DORA specifies TLPT frequency for significant entities. The general expectation is:

  • Every 3 years for significant entities, unless the competent authority determines more frequent testing is warranted
  • After major security incidents or infrastructure changes, the competent authority may direct additional TLPT

Who Qualifies as a Significant Entity for TLPT

Competent authorities (EBA, ESMA, EIOPA, and national supervisors) designate which entities must conduct TLPT. The designation considers:

  • Size and nature of the entity
  • Systemic importance (impact of disruption on the financial system)
  • Risk profile
  • Whether the entity has already been involved in supervisory TLPT exercises

Not all banks and financial entities are required to do TLPT. Smaller payment institutions, e-money institutions, and investment firms are generally not required. Major systemically important banks, payment schemes, and critical financial infrastructure are typically required.

Practical Resilience Testing Plan for Fintechs

For most fintech companies (not yet significant entities):

Q1:

  • Vulnerability scans of all internet-facing systems
  • Software composition analysis of all production dependencies
  • Review and update of network architecture diagrams

Q2:

  • Application penetration test of core product
  • Phishing simulation exercise
  • Review of access control configurations

Q3:

  • Internal infrastructure penetration test
  • Physical security review
  • Business continuity test (tabletop or simulation)

Q4:

  • Annual risk assessment
  • Gap analysis against DORA requirements
  • Remediation programme for findings from the year's testing

All test results and remediation tracking must be documented. This documentation is what regulators examine in DORA audits.

ComplyOne maps your DORA obligations, tracks your readiness across all five pillars, and maintains your audit evidence.

Run your DORA compliance check →

Related guides

DORA Compliance Checklist for Fintechs

DORA — the Digital Operational Resilience Act — has applied to financial entities in the EU since 17 January 2025.

DORA ICT Third-Party Risk Management Explained

ICT third-party risk management is one of the most operationally demanding aspects of DORA.

DORA Incident Reporting Requirements

DORA introduces the strictest incident reporting timelines of any EU regulation — stricter than NIS2 and stricter than GDPR.

View all guides in this module