doratesting

DORA testing requirements: what financial entities must test

Updated 2026-07-06 2 min read

DORA’s resilience-testing pillar turns "we should test our systems" into a documented legal obligation. This guide sets out what that programme has to include.

A documented testing programme

DORA requires in-scope financial entities to establish and maintain a sound, comprehensive digital operational resilience testing programme as part of their ICT risk-management framework. It must be risk-based and cover the ICT systems and applications that support critical or important functions.

The baseline tests

On the systems supporting important functions, entities are expected to carry out a range of tests at least yearly, which may include:

  • Vulnerability assessments and scans.
  • Network security assessments.
  • Gap analyses and configuration/security reviews.
  • Source-code reviews where feasible.
  • Penetration testing of critical systems.
  • Scenario-based tests and end-to-end resilience testing.

Cadence

The baseline programme requires testing of critical and important ICT systems at least once a year. The most significant entities additionally undergo advanced threat-led penetration testing (TLPT) at least every three years.

Who may test

Testing must be performed by independent, qualified parties. Internal testers can be used only under conditions that safeguard independence and avoid conflicts of interest, and TLPT carries stricter requirements on tester competence and independence.

Evidence and remediation

It isn’t enough to run tests. Entities must prioritise, classify and remediate findings, retest, and keep evidence — supervisors expect to see that the programme actually improves resilience over time.

FAQ

Related questions

How often does DORA require testing?

At least yearly for ICT systems supporting critical or important functions, with advanced threat-led penetration testing (TLPT) at least every three years for significant entities.

Does DORA require penetration testing?

Penetration testing is part of the expected range of tests for critical systems within the annual programme, and threat-led penetration testing is explicitly mandated for significant entities.

Can internal teams do the testing?

Only under conditions that preserve independence and avoid conflicts of interest. Many entities use external testers to satisfy the independence expectation, and TLPT has strict independence criteria.