DORA requires financial entities to test their digital operational resilience, not just document it. Articles 24 to 27 set out a two-tier program. Every in-scope entity must run a baseline testing program of its ICT systems and tools on a risk-based schedule, at least annually for critical systems. On top of that, the entities the supervisors identify as significant must perform advanced threat-led penetration testing (TLPT), a live test against their production systems modeled on real attacker behavior, at least every three years, performed by qualified internal or external testers.
DORA treats testing as proof. A financial entity can have an ICT risk framework on paper, but DORA Articles 24 to 27 require it to test whether that framework holds under pressure. The testing comes in two tiers: a baseline every entity runs, and an advanced threat-led test for the entities that matter most to the system. This guide covers both, who performs them, how often, and where the program goes wrong.
The baseline testing program
Articles 24 and 25 require every in-scope entity to establish, maintain, and review a sound and comprehensive digital operational resilience testing program as an integral part of its ICT risk management. The program applies a range of tests to ICT systems and applications, scaled to the entity's risk. The tests named include vulnerability assessments and scans, open-source analysis, network security assessments, gap analyses, physical security reviews, penetration testing, and scenario-based tests. ICT systems supporting critical or important functions are tested at least annually.
Advanced testing: TLPT
Article 26 adds a higher tier for the entities the competent authorities identify, based on their risk profile and systemic importance: threat-led penetration testing. TLPT is a controlled test that mimics the tactics, techniques, and procedures of real threat actors against the entity's live production systems, carried out at least every three years. It covers several or all of the critical or important functions and is performed on live systems, which is what distinguishes it from a routine penetration test. The framework draws on TIBER-EU.
Who performs the testing
Article 27 sets requirements for the testers. TLPT can be performed by external testers or, subject to conditions, internal testers, but the testers must have the highest suitability and reputational standing, the relevant technical and organizational capabilities, and demonstrated expertise. Where internal testers are used, the competent authority's conditions apply and an external tester is required at least every third test in many cases. The aim is independence and competence, so the test is a genuine adversarial exercise rather than a self-graded one.
How the tiers compare
| Tier | Who and how often |
|---|---|
| Baseline testing (Art. 24 to 25) | Every in-scope entity. A range of tests on a risk-based schedule; critical systems at least annually. |
| TLPT (Art. 26 to 27) | Only entities the supervisors identify. A live, threat-led test at least every three years, by qualified independent testers. |
How to approach it
Step 1: Build the baseline testing program
Establish the testing program as part of ICT risk management, with the range of tests scaled to the entity's risk.
Step 2: Test critical systems at least annually
Schedule testing of ICT systems supporting critical or important functions at least once a year, and remediate findings.
Step 3: Determine whether TLPT applies
Confirm with the competent authority whether the entity is in scope for threat-led penetration testing.
Step 4: Run TLPT with qualified testers
Where in scope, conduct the live threat-led test at least every three years using testers who meet the Article 27 requirements.
Step 5: Feed findings back into the framework
Use the results to update the ICT risk management framework and the resilience controls.
Where it goes wrong
- Documenting without testing. The ICT risk framework exists but the testing program that proves it is missing or thin.
- Treating a routine pen test as TLPT. A standard penetration test is substituted for the live, threat-led exercise Article 26 requires of in-scope entities.
- Findings that do not loop back. Tests are run but the results never update the ICT risk management framework.
Resilience testing is how DORA proves the framework works under attack. For the wider regulation, see the EU DORA compliance guide and the EU DORA glossary; for the framework the testing validates, see the DORA ICT risk management guide.
Primary sources
- Regulation (EU) 2022/2554 (DORA), Articles 24 to 27: The digital operational resilience testing program, including threat-led penetration testing (TLPT) for the entities the supervisors identify.
- Regulation (EU) 2022/2554 (DORA): The Digital Operational Resilience Act: ICT risk management, incident reporting, resilience testing, third-party risk, and oversight of critical ICT providers.