DORA Digital Resilience Testing
An implementation guide to DORA's digital resilience testing requirements, covering basic testing obligations, advanced threat-led penetration testing (TLPT) based on TIBER-EU, scope, frequency, and the proportionality principle.
- 1
DORA Chapter IV (Articles 24-27) mandates a comprehensive digital operational resilience testing programme for all in-scope financial entities except microenterprises.
- 2
Basic testing under Article 25 — including vulnerability scans, penetration tests, and scenario-based tests — must be conducted at least annually on all systems supporting critical or important functions.
- 3
Advanced TLPT under Article 26 is required at least every three years for designated entities, must be conducted on live production systems, and follows the TIBER-EU methodology.
- 4
TLPT involves three phases: threat intelligence, red team testing (conducted by qualified external testers under Article 27), and structured closure with remediation planning.
- 5
Proportionality applies throughout: simplified-regime entities have reduced obligations, microenterprises are fully exempt from Chapter IV, and all entities must calibrate testing intensity to their risk profile.
DORA Resilience Testing Requirements: Articles 24-27 Overview
Chapter IV of Regulation (EU) 2022/2554 (DORA) establishes a comprehensive framework for digital operational resilience testing, spanning Articles 24 through 27. The regulation, which has applied since 17 January 2025, requires financial entities to establish, maintain, and review a sound and comprehensive digital operational resilience testing programme as part of their ICT risk management framework. This testing programme is not an optional enhancement — it is a regulatory requirement with specific minimum standards for scope, frequency, methodology, and reporting.
Article 24(1) sets the overarching obligation: financial entities other than microenterprises shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework. The testing programme must include a range of assessments, tests, methodologies, practices, and tools, as set out in Article 25 (basic testing) and, where applicable, Article 26 (advanced testing through threat-led penetration testing). The requirement applies to all financial entities in scope of DORA, though with proportionality adjustments based on the entity's size, business profile, and risk exposure.
The testing framework reflects the EU legislator's conviction that theoretical risk assessments alone are insufficient to ensure digital operational resilience. Real-world testing — from vulnerability scanning and network security assessments to full-scale threat-led penetration tests — provides empirical evidence of an entity's ability to withstand, respond to, and recover from ICT disruptions and cyber attacks. The graduated structure, with basic testing for all entities and advanced TLPT for the most significant, ensures that testing intensity is proportionate to systemic importance.
DORA's resilience testing requirements apply from 17 January 2025. Financial entities should already have a testing programme in place, or be actively implementing one, to avoid non-compliance from the first day of application.
Basic Testing Requirements Under Article 25
Article 25 specifies the minimum testing activities that all in-scope financial entities (except microenterprises) must perform. These basic tests include vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests including switching and failover tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.
The testing programme must cover all ICT systems and applications supporting critical or important functions. Article 24(6) specifies that financial entities shall identify all ICT systems and applications that support critical or important functions and shall test them at least yearly. This annual testing cycle is the minimum — the entity's risk assessment may dictate more frequent testing for particularly critical systems. The testing must be conducted by independent parties, either internal or external, though where internal testers are used, the entity must ensure they have sufficient resources and are free from conflicts of interest.
Article 25(2) requires financial entities to establish procedures and policies to prioritise, classify, and remedy issues identified during testing. This is not merely a documentation exercise — entities must demonstrate that test findings are tracked to resolution, that remediation is prioritised based on risk, and that the effectiveness of remediation measures is verified through re-testing. The testing programme must also be reviewed and updated regularly to reflect changes in the entity's ICT environment, threat landscape, and business operations. Competent authorities may request evidence of the testing programme, its results, and the remediation of identified issues as part of their supervisory activities.
Advanced Testing: Threat-Led Penetration Testing (TLPT)
Article 26 introduces the most demanding element of DORA's testing framework: advanced testing through threat-led penetration testing (TLPT). TLPT goes beyond conventional penetration testing by simulating the tactics, techniques, and procedures (TTPs) of real threat actors targeting the financial entity. The methodology is based on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), which was developed by the European Central Bank and has been adopted by multiple EU Member States and financial authorities since 2018.
TLPT is not required of all financial entities. Article 26(1) provides that only financial entities identified by competent authorities shall be required to carry out TLPT at least every three years. The identification is based on factors including the entity's systemic importance, its ICT risk profile, the specific ICT-related threats it faces, and its overall criticality to the financial system. In practice, this means that major banks, central counterparties, central securities depositories, and other systemically important financial institutions will be the primary candidates for mandatory TLPT.
The TLPT must cover several critical or important functions of the financial entity and must be performed on live production systems. Article 26(2) specifies that the testing must test critical or important functions and must be performed on live production systems supporting those functions. This is a deliberately demanding requirement — unlike basic penetration testing, which is often conducted in isolated test environments, TLPT is designed to reveal vulnerabilities that only manifest in production conditions. The scope of each TLPT must be defined by the financial entity with the approval of the competent authority, and must include a sufficient number of critical or important functions to provide meaningful coverage.
TLPT must be conducted on live production systems, not test environments. This requirement demands careful planning to avoid disrupting live financial services while still achieving realistic test conditions. Establish clear rules of engagement and escalation procedures before commencing any TLPT exercise.
TLPT Execution: Roles, Phases, and Reporting
A TLPT engagement follows a structured methodology derived from TIBER-EU, typically comprising three phases: threat intelligence, red team testing, and closure. In the threat intelligence phase, a qualified threat intelligence provider produces a targeted threat assessment identifying the most relevant threat actors and attack scenarios for the financial entity. This assessment must be based on real-world threat intelligence, not hypothetical scenarios, and must consider the entity's specific technology environment, business profile, and geographic exposure.
The red team phase involves an external testing team — the red team — attempting to compromise the entity's critical or important functions using the TTPs identified in the threat intelligence phase. Article 26(3) requires that TLPT be carried out by external testers meeting the requirements set out in Article 27. The entity's internal teams — blue teams — must not be informed of the test in advance, ensuring that the defensive response is genuine rather than rehearsed. The red team operates under strict rules of engagement agreed with the entity and the competent authority, which define the scope of permissible activities, escalation procedures, and conditions under which the test must be paused or terminated.
The closure phase involves a structured debrief in which the red team presents its findings, the blue team provides its perspective on the defensive response, and the entity develops a remediation plan addressing identified vulnerabilities. Article 26(6) requires that the financial entity submit to the competent authority a summary of the relevant findings, the remediation plans, and documentation demonstrating that the TLPT has been conducted in accordance with the regulatory requirements. The competent authority then provides an attestation confirming that the TLPT was carried out in compliance with the requirements, which the entity may share with other competent authorities to support mutual recognition and reduce duplicative testing under Article 26(4).
Article 27 sets out detailed requirements for the external testers conducting TLPT. They must be of the highest suitability and reputability, possess technical and organisational capabilities specifically required for threat intelligence and red team testing, and be certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks. They must also carry professional indemnity insurance covering risks arising from the conduct of the TLPT.
Testing Scope, Frequency, and Documentation
The scope of the digital operational resilience testing programme must cover all ICT systems and applications supporting critical or important functions. Article 24(4) provides that financial entities shall apply a risk-based approach when designing and executing the testing programme, duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity is or could be exposed, the criticality of information assets and of services provided, and any other factor the entity deems appropriate.
For basic testing under Article 25, the minimum frequency is annual testing of all systems supporting critical or important functions. However, the risk-based approach may require more frequent testing for systems with heightened risk profiles — for example, internet-facing systems, systems processing sensitive financial data, or systems that have undergone significant changes. Vulnerability scans should typically be conducted quarterly or continuously, while more comprehensive assessments such as penetration tests and scenario-based tests may follow the annual cycle.
For TLPT under Article 26, the minimum frequency is once every three years for designated entities. However, the competent authority may increase the frequency based on the entity's risk profile. Each TLPT must be scoped in cooperation with the competent authority to ensure adequate coverage of critical or important functions. The scope should be rotated across successive TLPT cycles to ensure that, over time, all critical functions are tested.
Documentation requirements are extensive. Financial entities must maintain records of their testing programme, including the risk assessment underpinning test prioritisation, the test plans and methodologies used, test results and findings, remediation plans and evidence of remediation, and — for TLPT — the threat intelligence assessment, red team report, and competent authority attestation. These records must be available for supervisory review and should be retained for a period aligned with the entity's record retention policies and any applicable national requirements.
Proportionality and the Simplified Regime
DORA's testing requirements are subject to the principle of proportionality, which recurs throughout the regulation. Article 4 establishes that financial entities shall implement the DORA requirements taking into account their size and overall risk profile, and the nature, scale, and complexity of their services, activities, and operations. For the testing programme specifically, Article 24(2) provides that the testing programme shall be proportionate to and commensurate with the size and the overall risk profile of the financial entity.
Article 16(1) provides that small and non-interconnected investment firms, payment institutions exempted under Directive (EU) 2015/2366, institutions exempted under Directive 2013/36/EU, electronic money institutions exempted under Directive 2009/110/EC, and small institutions for occupational retirement provision may apply a simplified ICT risk management framework. For these entities, the testing requirements are correspondingly reduced, though not eliminated. They must still conduct basic assessments and tests, but the scope and frequency may be adjusted to reflect their simpler ICT environments and lower systemic risk.
Microenterprises — defined as enterprises employing fewer than 10 persons and with annual turnover or balance sheet total not exceeding EUR 2,000,000 — are exempt from the resilience testing requirements of Chapter IV entirely under Article 24(1). This exemption reflects the recognition that imposing comprehensive testing programmes on the smallest financial entities would be disproportionate to both their risk profile and their capacity to comply. However, microenterprises remain subject to the basic ICT risk management requirements under Article 16.
For entities between the microenterprise threshold and the TLPT designation level, the practical challenge is determining the appropriate level of testing intensity. Competent authorities and the European Supervisory Authorities (EBA, EIOPA, ESMA) have published guidelines and technical standards that provide further detail on how the proportionality principle should be applied to testing programmes. Financial entities should consult these resources and document their proportionality assessment to demonstrate that their testing programme is commensurate with their risk profile.
Even if your entity is not designated for TLPT, consider conducting voluntary threat-led testing. The insights gained from simulating real-world attack scenarios are substantially more valuable than those from conventional penetration testing, and voluntary TLPT demonstrates proactive risk management to supervisory authorities.
Does every financial entity need to conduct TLPT?
No. TLPT under Article 26 is only mandatory for financial entities specifically identified by their competent authority based on criteria including systemic importance, ICT risk profile, and criticality to the financial system. In practice, this targets major banks, central counterparties, central securities depositories, and other systemically significant institutions. Most smaller and medium-sized financial entities will only need to fulfil the basic testing requirements under Article 25. However, even non-designated entities may choose to conduct voluntary TLPT to strengthen their resilience posture.
Can we use internal teams for TLPT, or must we engage external testers?
Article 26(3) requires that TLPT be carried out by external testers meeting the requirements of Article 27. However, Article 26(3) also provides a limited exception: financial entities may use internal testers for the TLPT provided that the competent authority has granted approval, the entity has verified that this does not create a conflict of interest, and the threat intelligence element of the TLPT is produced by an external threat intelligence provider. In practice, most entities engage external red teams due to the specialised skills required and the need to ensure the blue team is not forewarned. Where internal testers are used, every other third TLPT must still be conducted by an external tester.
What is the relationship between DORA TLPT and TIBER-EU?
DORA's TLPT framework is based on the TIBER-EU framework developed by the European Central Bank. Recital 46 of DORA explicitly references TIBER-EU as the foundational methodology, and the regulatory technical standards developed by the ESAs further align TLPT requirements with TIBER-EU practices. Entities that have already conducted TIBER-EU tests will find the DORA TLPT requirements familiar, though there are some differences in scope and governance. The key advancement under DORA is that TLPT becomes a legally binding obligation for designated entities, whereas TIBER-EU was previously voluntary or semi-mandatory depending on the jurisdiction.
How should we handle vulnerabilities discovered during production testing?
DORA requires that all vulnerabilities identified through testing — including TLPT on live production systems — are documented, risk-assessed, and remediated according to a defined prioritisation framework. Article 25(2) mandates procedures and policies to prioritise, classify, and remedy all issues revealed by testing. For vulnerabilities discovered during live TLPT, the rules of engagement should include provisions for immediate notification if the red team discovers a critical vulnerability that poses an imminent risk. The entity should have pre-agreed escalation procedures that allow critical findings to be communicated to the blue team and remediated in real time if necessary, rather than waiting for the formal closure phase.
Can TLPT results from one competent authority be recognised by another?
Yes. Article 26(4) provides for mutual recognition of TLPT results. When a financial entity has conducted a TLPT that meets the regulatory requirements and has received an attestation from its competent authority, that attestation may be shared with other competent authorities to facilitate recognition. This mechanism is designed to reduce the burden of duplicative testing for entities operating across multiple EU jurisdictions. However, mutual recognition is not automatic — the receiving competent authority retains discretion to accept or request additional testing based on its own assessment of the entity's risk profile and the adequacy of the TLPT scope.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.