DORA testing checklist: how to prepare and stay compliant
DORA rewards a programme you can evidence, not a folder of one-off reports. This checklist turns the testing pillar into concrete steps.
Scope and plan
- Map your critical and important functions and the ICT systems that support them.
- Assess risk to prioritise what gets tested, how deeply and how often.
- Document a testing programme covering those systems, aligned to your risk profile.
Build the test layers
- Schedule regular vulnerability assessments and scans.
- Plan penetration testing of critical systems at least yearly.
- Add scenario-based and end-to-end resilience tests (detection, response, recovery).
- If you are a significant entity, plan TLPT on at least a three-year cycle.
Choose testers
- Use independent, qualified testers; safeguard independence if using internal staff.
- For TLPT, confirm testers meet the competence and independence criteria.
- Define rules of engagement to test live systems safely.
Close the loop
- Prioritise and classify findings by risk.
- Remediate, then retest to confirm the fix.
- Report to management and, where relevant, supervisors.
- Feed lessons back into the risk-management framework and next year’s programme.
Common gaps
- Testing systems in isolation but never end-to-end resilience.
- Running tests without documented remediation or retesting.
- Treating testing as annual box-ticking rather than a continuous programme.
- Assuming internal testing satisfies independence expectations without safeguards.
FAQ
Related questions
Where should we start with DORA testing?
Start by mapping your critical and important functions and the ICT systems behind them — that scope defines what your testing programme must cover.
Does one annual penetration test satisfy DORA?
Not on its own. DORA expects a layered programme — vulnerability assessments, penetration testing and scenario-based tests — with documented remediation and retesting, not a single test.
How do we evidence compliance?
Keep records of scope, methodology, findings, risk ratings, remediation and retesting, and show how results feed back into your risk-management framework.
Keep reading
More guides
-
DORA testing requirements: what financial entities must test
DORA makes resilience testing a legal duty. Here’s the programme it requires, the test types, the cadence, and who must do the testing.
Read guide -
DORA TLPT explained: threat-led penetration testing
For significant entities, DORA mandates advanced threat-led penetration testing. Here’s what TLPT is, who must do it, and how it works.
Read guide