Digital Operational Resilience Testing under DORA
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
DORA's resilience-testing pillar (Articles 24–27) requires financial entities to establish a risk-based testing programme for ICT systems, and requires significant entities to perform threat-led penetration testing (TLPT) at least every three years.
The testing programme
Testing ranges from vulnerability assessments and scans to scenario-based tests and end-to-end testing, proportionate to the entity's size and risk profile.
Threat-led penetration testing (TLPT)
TLPT follows the TIBER-EU framework and tests live production systems using threat intelligence. It must cover the critical functions identified under the ICT risk-management framework, and may involve ICT third-party providers.
Frequently asked questions
How often is TLPT required under DORA?
At least once every three years for entities identified as significant, subject to authority discretion.