DORA testing requirements: what financial entities must test
DORA’s resilience-testing pillar turns "we should test our systems" into a documented legal obligation. This guide sets out what that programme has to include.
A documented testing programme
DORA requires in-scope financial entities to establish and maintain a sound, comprehensive digital operational resilience testing programme as part of their ICT risk-management framework. It must be risk-based and cover the ICT systems and applications that support critical or important functions.
The baseline tests
On the systems supporting important functions, entities are expected to carry out a range of tests at least yearly, which may include:
- Vulnerability assessments and scans.
- Network security assessments.
- Gap analyses and configuration/security reviews.
- Source-code reviews where feasible.
- Penetration testing of critical systems.
- Scenario-based tests and end-to-end resilience testing.
Cadence
The baseline programme requires testing of critical and important ICT systems at least once a year. The most significant entities additionally undergo advanced threat-led penetration testing (TLPT) at least every three years.
Who may test
Testing must be performed by independent, qualified parties. Internal testers can be used only under conditions that safeguard independence and avoid conflicts of interest, and TLPT carries stricter requirements on tester competence and independence.
Evidence and remediation
It isn’t enough to run tests. Entities must prioritise, classify and remediate findings, retest, and keep evidence — supervisors expect to see that the programme actually improves resilience over time.
FAQ
Related questions
How often does DORA require testing?
At least yearly for ICT systems supporting critical or important functions, with advanced threat-led penetration testing (TLPT) at least every three years for significant entities.
Does DORA require penetration testing?
Penetration testing is part of the expected range of tests for critical systems within the annual programme, and threat-led penetration testing is explicitly mandated for significant entities.
Can internal teams do the testing?
Only under conditions that preserve independence and avoid conflicts of interest. Many entities use external testers to satisfy the independence expectation, and TLPT has strict independence criteria.
Keep reading
More guides
-
DORA TLPT explained: threat-led penetration testing
For significant entities, DORA mandates advanced threat-led penetration testing. Here’s what TLPT is, who must do it, and how it works.
Read guide -
DORA testing checklist: how to prepare and stay compliant
A practical checklist to build and evidence a DORA-compliant resilience-testing programme — from scoping critical functions to remediation.
Read guide