Skip to main content
DORA Auditor

Digital Operational Resilience Testing under DORA

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

DORA's resilience-testing pillar (Articles 24–27) requires financial entities to establish a risk-based testing programme for ICT systems, and requires significant entities to perform threat-led penetration testing (TLPT) at least every three years.

The testing programme

Testing ranges from vulnerability assessments and scans to scenario-based tests and end-to-end testing, proportionate to the entity's size and risk profile.

Threat-led penetration testing (TLPT)

TLPT follows the TIBER-EU framework and tests live production systems using threat intelligence. It must cover the critical functions identified under the ICT risk-management framework, and may involve ICT third-party providers.

Frequently asked questions

How often is TLPT required under DORA?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex