DORA — Regulation (EU) 2022/2554

DORA Security Testing for Financial Services

The Digital Operational Resilience Act became directly applicable across all EU member states on January 17, 2025. Financial entities must now implement comprehensive ICT risk management including mandatory vulnerability assessments and threat-led penetration testing. KENSAI helps you comply.

Start DORA Assessment → Book a Demo

Who Must Comply with DORA?

DORA applies to a broad set of financial entities operating in the EU — significantly wider than predecessor regulations:

Entity TypeIn Scope
Credit institutions (banks)Yes
Payment institutionsYes
Electronic money institutionsYes
Investment firmsYes
Crypto-asset service providers (CASPs)Yes — new inclusion
Insurance / reinsurance undertakingsYes
Pension fund administratorsYes
ICT third-party service providers (critical)Yes — as "critical ICT third-party providers"
Microenterprises (<10 employees, <€2M turnover)Simplified requirements

DORA ICT Security Testing Requirements

DORA Chapter IV (Articles 24–27) establishes a two-tier security testing framework:

Article 24 — Basic Digital Operational Resilience Testing

All financial entities must implement a comprehensive digital operational resilience testing programme. This includes vulnerability assessments, open source analyses, network security assessments, gap analyses, physical security reviews, and scenario-based tests — at least annually.

Article 25 — Advanced Testing: TLPT (Threat-Led Penetration Testing)

Significant financial entities must conduct TLPT at least every 3 years. TLPT follows the TIBER-EU framework — intelligence-driven penetration testing simulating realistic threat actor TTPs against production systems. Must be performed by approved external testers.

Article 8 — ICT Risk Identification

Financial entities must identify, classify, and document all ICT-supported business functions and their dependencies. Vulnerability scanning is the primary technical mechanism for ongoing ICT risk identification.

Article 9 — Protection and Prevention

Continuous monitoring of ICT systems, detection of anomalous activity, and policies covering vulnerability management, patch management, and configuration hardening.

🚨 DORA Supervisory Powers Are Extensive

Competent authorities (ECB, EBA, national regulators) can require financial entities to: submit ICT risk assessments on demand, undergo on-site inspections of ICT infrastructure, and commission independent security reviews. Non-compliance can result in fines of up to 1% of average daily worldwide turnover applied daily until compliance is achieved.

DORA vs TIBER-EU: How They Relate

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the ECB's framework for advanced security testing. DORA's TLPT requirement is largely modeled on TIBER-EU. Key characteristics:

Basic Testing Programme: What's Required Annually

Under Article 24, the annual basic testing programme must cover:

How KENSAI Supports DORA Compliance

✓ Article 24 Basic Testing Automation

Automates the annual vulnerability assessment, network security assessment, and open-source component analysis required under Article 24.

✓ Critical ICT Asset Inventory

Discovers and maps all ICT assets supporting critical business functions — the foundation for DORA's ICT risk identification requirement.

✓ TLPT Preparation

Pre-TLPT vulnerability assessment identifies known weaknesses before red team engagement — maximizing testing value and demonstrating due diligence.

✓ Third-Party ICT Risk

Assess the external attack surface of critical ICT third-party providers under DORA Chapter V (supply chain risk management).

✓ Continuous Monitoring

Ongoing vulnerability detection meets Article 9's requirement for continuous monitoring and anomaly detection in ICT systems.

✓ Regulator-Ready Reporting

Generate DORA-aligned vulnerability reports for submission to competent authorities during supervisory reviews and on-site inspections.

💡 DORA and Other Regulations: DORA has a "lex specialis" relationship with GDPR, NIS2, and EMIR. Where DORA provides more specific ICT risk requirements, those prevail for financial entities. However, GDPR personal data obligations continue to apply independently. Your security testing programme must satisfy both.

DORA Compliance Timeline

MilestoneDate
DORA entered into forceJanuary 16, 2023
DORA became directly applicableJanuary 17, 2025
First annual basic testing dueJanuary 17, 2026
First TLPT cycle begins (significant entities)Within 3 years of compliance date
Critical ICT provider oversight framework2025 (ESA designations)

Meet DORA ICT Security Testing Requirements

KENSAI automates the vulnerability assessment and network security testing required under DORA Article 24, while generating regulator-ready documentation for supervisory reviews. Built for financial entities operating under EU regulatory oversight.

Start DORA Assessment → Talk to a Financial Services Expert

Related Articles

6G सिक्योरिटी-बाय-डिज़ाइन दिशानिर्देश TeamPCP esconde stealer em arquivos WAV, Falsos alertas VS Code no GitHub AI-systemen onder vuur: Gemini Chrome-exploit