How Penetration Testing Supports DORA Compliance for Financial and ICT Entities

by | Sep 16, 2025 | Articles, Information Security

Post Views: 283

Reading Time: 3 Minutes

What DORA Means for Financial and ICT Sector Organizations

The Digital Operational Resilience Act (DORA), effective January 2025, introduces a unified EU framework for managing and testing digital resilience across the entire financial ecosystem. Banks, insurance companies, investment firms, payment institutions, and the ICT providers that serve them must now demonstrate their ability to prevent, detect, respond to, and recover from ICT disruptions.

A central pillar of DORA is advanced security testing, and that’s where our role begins, as a partner providing penetration testing services designed to help regulated entities achieve and maintain DORA compliance.

See Also: Solutions: Internal and External Pentesting

What Are DORA’s Key Obligations?

The Digital Operational Resilience Act (DORA) imposes five core obligations on regulated financial entities:

  • ICT Risk Management – Implement governance, policies, and controls to manage ICT risk.
  • Incident Reporting – Detect, classify, and report major ICT-related incidents within defined timeframes.
  • Digital Resilience Testing – Regularly test ICT systems as part of a structured testing program; all entities must perform regular testing, while significant entities must also conduct Threat-Led Penetration Testing (TLPT) under regulatory supervision.
  • Third-Party Risk Management – Assess and monitor ICT service providers, especially those supporting critical functions.
  • Information Sharing – Voluntary exchange of cyber threat intelligence with peers to strengthen sector-wide resilience.

These obligations apply to a wide range of financial and ICT-related entities across the EU, and form the foundation of DORA compliance.

 

DORA’s Testing Mandates: What You Need to Know

DORA requires organizations to go beyond basic security practices. Under Articles 24–27, regulated entities must:

  • Conduct risk-based testing of their digital infrastructure
  • Perform Threat-Led Penetration Testing (TLPT) on critical functions
  • Use real-life threat scenarios in production-like environments
  • Involve authorities in scoping and validation

The goal is clear: to ensure both technical controls and human response can withstand realistic, high-impact cyber threats.

Who Needs to Comply?

This regulation applies to a broad array of institutions, including:

  • Banks and Credit Institutions
  • Insurance and Reinsurance Companies
  • Payment and E-Money Institutions
  • Investment Firms
  • Crypto-asset Service Providers
  • Cloud, Software, and Security Providers supporting these sectors

 

Whether you’re a regulated financial institution or a third-party technology provider supporting them, you must demonstrate resilience through formal security testing, including penetration testing, and audit-ready evidence.
DORA applies to all regulated entities, regardless of size or complexity. While all are required to conduct regular testing, a subset classified as “significant entities” must also undergo Threat-Led Penetration Testing (TLPT) every three years under Article 26.

This risk-based approach ensures that testing requirements are proportionate to each organization’s criticality and ICT risk exposure.

See Also: Solutions: Web Application Pentesting

How we Support DORA Compliance through Offensive Security

We help organizations meet these obligations by delivering:

Red Teaming

Realistic attack simulation targeting critical functions to assess:

  • Threat detection and response capabilities
  • Security control effectiveness under real-world stress
  • Incident handling and escalation processes

 

Penetration Testing

Tactical assessments of:

  • External/internal networks and infrastructure
  • Applications, APIs, and cloud environments
  • Remote access, identity, and privilege controls

 

All testing is tailored to reflect the real-world threat landscape, organizational risk profile, and DORA’s focus on production-like, risk-based, intelligence-led assessments.

 

Annual Penetration Testing: A Mandatory Obligation Under Article 24

The adoption of new cybersecurity legislation should be a priority for your organization, both in terms of budget and strategy. With the NIS2 Directive taking effect soon, it should be top of mind for the COO. Importantly, C-level executives are personally liable in cases of non-compliance, which can result in fines, prosecution, and disqualification from serving on additional boards. The CISO must be informed of the challenges posed by NIS2, and a designated individual or team should be responsible for the integration of IT and OT systems to ensure compliance.

Article 24 of DORA requires all regulated financial entities to perform regular security testing, including penetration testing, at least annually.
This testing supports the broader obligation to maintain a comprehensive digital operational resilience testing program and must also be conducted after any major system or architectural changes.

In contrast, Threat-Led Penetration Testing (TLPT) under Article 26 applies only to entities designated as “significant” by regulators.

 

TLPT: From Regulation to Execution

DORA aligns closely with TIBER-EU, the ECB’s framework for Threat Intelligence-Based Ethical Red Teaming, which is already being used by many regulators across Europe. Our TLPT approach includes:

  1. Intelligence-led scoping based on your threat profile
  2. Controlled adversary emulation against critical functions
  3. Clear documentation that meets regulator expectations
  4. Debriefing and remediation planning with your technical and executive teams

We help ensure your TLPT program is not only technically sound, but compliance-aligned.

 

See Also: Solutions: BlackBox and WhiteBox Pentesting

Compliance Readiness: A Proven Path

Here’s how we help organizations prepare for DORA:

  1. Assess Readiness – Gap analysis vs. DORA testing mandates.
  2. Define Critical Assets – What must be protected and tested?
  3. Design Test Scenarios – Map realistic threat paths to business processes.
  4. Execute Testing – Red Teaming, Pentesting, or *Phishing simulations as needed.
  5. Report & Advise – Deliver regulator-ready evidence and remediation support.

*Phishing simulations are not mandated by DORA but can enhance threat scenario realism in TLPT engagements.

 

Turn Compliance into a Competitive Advantage

“DORA doesn’t just raise the bar, it mandates proof. Security testing isn’t optional, it’s required. The question is: are you prepared to prove it?

We don’t offer products, we offer expertise, trust, and impact. Our team helps regulated organizations move from reactive audits to proactive assurance through tailored penetration testing assessments that satisfy DORA’s most demanding requirements.

Referenced Legal Articles from DORA

  • Article 24 – General Requirements for Testing
  • Article 26 – Advanced Testing Based on Threat-Led Penetration Testing (TLPT)
  • Article 27 – Requirements for Testers

These articles are part of the full Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA).

Preparing for DORA’s mandatory testing requirements?

If you’re a financial institution or ICT provider preparing for DORA, we can help.

We specialize in penetration testing and threat-led assessments designed to meet Articles 24–27 of the DORA Regulation. Our services are tailored to your critical business functions and follow production-like, intelligence-led methodologies that help you demonstrate compliance through structured, regulator-aligned testing.

Our team doesn’t just identify vulnerabilities. We exploit them to show real-world impact. Unlike traditional pentesting firms, we provide access to an intuitive remediation platform that enables your team to track, prioritize, and resolve issues collaboratively and in real time.

Let’s talk about how we can support your DORA readiness with security testing that meets the letter of the regulation and the reality of today’s cyber threats.

See Also: The Importance of Expertise: Why Manual Pentesting Beats Automated Solutions

Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Are you looking for a better way to secure your business? Whether you need a product audit, vendor security assessment, or overall security testing, we can help. Our team of experts will work with you to identify your specific security needs and provide tailored recommendations to improve your overall security posture.

To find out more about how Black Hat Ethical Hacking can help you, check out our Solutions

Recent Articles

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This