doratesting

DORA testing checklist: how to prepare and stay compliant

Updated 2026-07-06 2 min read

DORA rewards a programme you can evidence, not a folder of one-off reports. This checklist turns the testing pillar into concrete steps.

Scope and plan

  • Map your critical and important functions and the ICT systems that support them.
  • Assess risk to prioritise what gets tested, how deeply and how often.
  • Document a testing programme covering those systems, aligned to your risk profile.

Build the test layers

  • Schedule regular vulnerability assessments and scans.
  • Plan penetration testing of critical systems at least yearly.
  • Add scenario-based and end-to-end resilience tests (detection, response, recovery).
  • If you are a significant entity, plan TLPT on at least a three-year cycle.

Choose testers

  • Use independent, qualified testers; safeguard independence if using internal staff.
  • For TLPT, confirm testers meet the competence and independence criteria.
  • Define rules of engagement to test live systems safely.

Close the loop

  1. Prioritise and classify findings by risk.
  2. Remediate, then retest to confirm the fix.
  3. Report to management and, where relevant, supervisors.
  4. Feed lessons back into the risk-management framework and next year’s programme.

Common gaps

  • Testing systems in isolation but never end-to-end resilience.
  • Running tests without documented remediation or retesting.
  • Treating testing as annual box-ticking rather than a continuous programme.
  • Assuming internal testing satisfies independence expectations without safeguards.

FAQ

Related questions

Where should we start with DORA testing?

Start by mapping your critical and important functions and the ICT systems behind them — that scope defines what your testing programme must cover.

Does one annual penetration test satisfy DORA?

Not on its own. DORA expects a layered programme — vulnerability assessments, penetration testing and scenario-based tests — with documented remediation and retesting, not a single test.

How do we evidence compliance?

Keep records of scope, methodology, findings, risk ratings, remediation and retesting, and show how results feed back into your risk-management framework.