The Digital Operational Resilience Act became directly applicable across all EU member states on January 17, 2025. Financial entities must now implement comprehensive ICT risk management including mandatory vulnerability assessments and threat-led penetration testing. KENSAI helps you comply.
Start DORA Assessment → Book a DemoDORA applies to a broad set of financial entities operating in the EU — significantly wider than predecessor regulations:
| Entity Type | In Scope |
|---|---|
| Credit institutions (banks) | Yes |
| Payment institutions | Yes |
| Electronic money institutions | Yes |
| Investment firms | Yes |
| Crypto-asset service providers (CASPs) | Yes — new inclusion |
| Insurance / reinsurance undertakings | Yes |
| Pension fund administrators | Yes |
| ICT third-party service providers (critical) | Yes — as "critical ICT third-party providers" |
| Microenterprises (<10 employees, <€2M turnover) | Simplified requirements |
DORA Chapter IV (Articles 24–27) establishes a two-tier security testing framework:
All financial entities must implement a comprehensive digital operational resilience testing programme. This includes vulnerability assessments, open source analyses, network security assessments, gap analyses, physical security reviews, and scenario-based tests — at least annually.
Significant financial entities must conduct TLPT at least every 3 years. TLPT follows the TIBER-EU framework — intelligence-driven penetration testing simulating realistic threat actor TTPs against production systems. Must be performed by approved external testers.
Financial entities must identify, classify, and document all ICT-supported business functions and their dependencies. Vulnerability scanning is the primary technical mechanism for ongoing ICT risk identification.
Continuous monitoring of ICT systems, detection of anomalous activity, and policies covering vulnerability management, patch management, and configuration hardening.
Competent authorities (ECB, EBA, national regulators) can require financial entities to: submit ICT risk assessments on demand, undergo on-site inspections of ICT infrastructure, and commission independent security reviews. Non-compliance can result in fines of up to 1% of average daily worldwide turnover applied daily until compliance is achieved.
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the ECB's framework for advanced security testing. DORA's TLPT requirement is largely modeled on TIBER-EU. Key characteristics:
Under Article 24, the annual basic testing programme must cover:
Automates the annual vulnerability assessment, network security assessment, and open-source component analysis required under Article 24.
Discovers and maps all ICT assets supporting critical business functions — the foundation for DORA's ICT risk identification requirement.
Pre-TLPT vulnerability assessment identifies known weaknesses before red team engagement — maximizing testing value and demonstrating due diligence.
Assess the external attack surface of critical ICT third-party providers under DORA Chapter V (supply chain risk management).
Ongoing vulnerability detection meets Article 9's requirement for continuous monitoring and anomaly detection in ICT systems.
Generate DORA-aligned vulnerability reports for submission to competent authorities during supervisory reviews and on-site inspections.
💡 DORA and Other Regulations: DORA has a "lex specialis" relationship with GDPR, NIS2, and EMIR. Where DORA provides more specific ICT risk requirements, those prevail for financial entities. However, GDPR personal data obligations continue to apply independently. Your security testing programme must satisfy both.
| Milestone | Date |
|---|---|
| DORA entered into force | January 16, 2023 |
| DORA became directly applicable | January 17, 2025 |
| First annual basic testing due | January 17, 2026 |
| First TLPT cycle begins (significant entities) | Within 3 years of compliance date |
| Critical ICT provider oversight framework | 2025 (ESA designations) |
KENSAI automates the vulnerability assessment and network security testing required under DORA Article 24, while generating regulator-ready documentation for supervisory reviews. Built for financial entities operating under EU regulatory oversight.
Start DORA Assessment → Talk to a Financial Services Expert