DORA penetration testing and threat-led exercises explained
January 14, 2026
Adam King
Director
The Digital Operational Resilience Act (DORA) introduces a unified framework for managing ICT risk across the European financial sector, with key requirements, including penetration testing, coming into force in 2
How AI Is Reshaping Software Development and How Tech Leaders Should Measure Its Impact
January 14, 2026
Adam King
Director
The Digital Operational Resilience Act (DORA) introduces a unified framework for managing ICT risk across the European financial sector, with key requirements, including penetration testing, coming into force in 2026. Its aim is to ensure that regulated organisations, and the critical third-party providers they rely on, can withstand, respond to and recover from operational disruptions. Within this context, operational resilience and robust ICT risk management become central to regulatory expectations. Penetration testing plays a significant role in meeting these obligations by providing independent assurance that security controls are effective, appropriately implemented and capable of protecting critical services against realistic threats.
Understanding DORA penetration testing requirements
DORA sets out clear expectations for ICT security testing within Articles 24 and 25, framing penetration testing as a core component of digital operational resilience. These articles require firms to establish a risk-based, multi-layered testing programme that reflects the criticality of their ICT systems and the potential impact of disruption. This includes regular vulnerability assessments, scenario-based exercises and independent penetration testing, with an emphasis on ensuring that testing is proportionate to the operational importance of the systems involved. For functions considered critical or important, the regulation introduces advanced requirements, including Threat-Led Penetration Testing (TLPT), which must be carried out at least every three years.
A key distinction within DORA is the separation between routine security testing and the more sophisticated forms of assurance demanded for higher-risk areas. Standard DORA penetration testing remains essential for validating the effectiveness of technical controls, identifying exploitable weaknesses and providing actionable remediation guidance. The advanced testing obligations go further by requiring firms to simulate real-world threat actors using current threat intelligence, controlled exploitation and detailed scenario planning. This ensures that the resilience of critical services is assessed against the tactics, techniques and procedures most likely to be used by capable adversaries.
For UK-based firms operating in the EU or serving EU clients, DORA’s penetration testing requirements largely complement existing expectations from the PRA and FCA. Both UK regulators have long emphasised risk-based security assurance, independent testing and evidence of continuous improvement. As a result, many organisations will find that their existing assurance frameworks already contain familiar elements.
Routine penetration testing for DORA
Routine DORA penetration testing forms the foundation of an organisation’s broader ICT assurance programme and is expected to cover all key technology layers; infrastructure, applications, cloud environments, APIs and any other components supporting critical business services.
The scope of this testing must be proportionate to the organisation’s risk profile and informed by the criticality of each system. In practice, this means prioritising high-value assets, assessing their dependencies and ensuring that testing activities reflect both the likelihood and potential impact of compromise. This approach aligns with DORA’s overarching requirement for organisations to maintain a structured, risk-based framework for identifying and addressing vulnerabilities.
DORA does not prescribe a fixed testing frequency, but it expects firms and ICT third-party providers to carry out routine pentesting at regular intervals, with more depth where systems support critical or important functions. Assessments must be performed by suitably qualified professionals who can provide objective analysis and identify weaknesses without existing operational bias. For financial entities already familiar with UK regulatory expectations, this will feel consistent with established good practice. By ensuring that routine testing is both independent and risk-aligned, firms can demonstrate ongoing control effectiveness and provide regulators with clear evidence of continuous security improvement.
DORA Threat-Led Penetration Testing (TLPT)
For systems supporting critical or important functions, DORA introduces a higher level of assurance through Threat-Led Penetration Testing (TLPT). Unlike routine penetration testing, TLPT is designed to replicate the behaviour of sophisticated threat actors using current threat intelligence and realistic attack scenarios. These exercises must be conducted at least every three years for entities designated by competent authorities, following methodologies aligned with frameworks such as TIBER-EU.
TLPT begins with a detailed scoping and threat intelligence phase, in which credible attack scenarios are developed based on the organisation’s role in the financial ecosystem, its technology stack and the wider threat landscape. For many financial services firms, this may include modelling tactics used by advanced persistent threat groups or organised criminal actors targeting payment systems, customer data or high-availability platforms. The aim is to create a realistic representation of how a determined attacker would target the organisation’s most valuable assets.
Execution is controlled and collaborative, with testers simulating multi-stage attack paths such as initial compromise, lateral movement and privilege escalation. The focus extends beyond technical weaknesses to assess how well the organisation detects, contains and responds to malicious activity. This provides a more complete view of operational resilience than traditional penetration testing, which typically concentrates on identifying and validating vulnerabilities without contextualising them with cyber threat intelligence.
Independence and tester expertise are essential. DORA threat-led penetration testing must be performed by qualified professionals with proven red-team and threat-intelligence capability, and the process includes defined touchpoints to ensure transparency and consistency. Reporting must provide a narrative account of the simulated attack, evidence of control performance and a clear set of remediation priorities.
By incorporating TLPT, DORA ensures that firms supporting critical financial services can demonstrate resilience against sophisticated and realistic cyber threats, not only in terms of technical security, but also in detection, response and overall operational continuity.
Preparing for a DORA-compliant penetration testing programme
Preparing for DORA’s security testing requirements begins with a clear understanding of how existing assurance activities map to the regulation. A practical first step is to conduct a structured gap analysis, examining current penetration testing projects, vulnerability management and security review processes against DORA’s expectations for risk-based, multi-layered testing. This helps determine whether the current programme is sufficiently comprehensive and whether it adequately covers systems supporting critical or important functions.
A key part of preparation involves mapping business services, assets, compliance needs and sensitive data flows to identify where testing effort should be prioritised. DORA requires firms to maintain visibility of their critical assets and to ensure that penetration testing activities reflect the associated operational impact. This means establishing a clear inventory of systems, understanding the interdependencies between them and aligning penetration testing scopes accordingly. Organisations may also need to introduce more structured testing schedules to ensure that both routine testing and TLPT exercises are carried out at appropriate intervals.
Evidence collection and documentation are equally important. DORA places significant emphasis on demonstrating ongoing control effectiveness, so organisations should ensure they have repeatable processes for recording test results, tracking remediation and producing audit-ready reports. Integrating third-party test results into this process is essential, particularly where external providers, such as managed service providers, deliver key systems or infrastructure. By establishing these foundations early, firms can ensure that their penetration testing programme is not only compliant with DORA but also supports broader operational resilience objectives, providing a consistent and defensible approach to managing risk across the organisation.
Scoping and delivering DORA penetration tests
Scoping is a key part of delivering penetration tests that meet DORA’s expectations. Organisations should start by defining the purpose of the test and identifying which systems, environments and interfaces fall within scope. Priority should be given to assets that support critical or important functions, along with any dependencies such as cloud services, third-party platforms or exposed APIs. This ensures that the assessments reflect the organisation’s genuine risk profile and provides suitable coverage.
Once testing begins, activities should provide appropriate depth across infrastructure, applications and network boundaries. Routine penetration tests focus on identifying exploitable weaknesses and validating the effectiveness of existing controls. Where DORA requires threat-led pentesting, the approach becomes more targeted, using intelligence-led realistic attack scenarios to assess how well detection and response processes perform in practice.
Testing should be carried out by qualified assessors who can provide objective findings and avoid conflicts of interest. Regular communication between internal teams and testers helps maintain control, avoid disruption and ensure that the final output meets regulatory needs.
DORA places significant emphasis on clear, accountable reporting that demonstrates how testing activities contribute to ongoing resilience. Penetration test reports should provide a balanced view of findings, the methods used to identify them and the potential impact on critical functions. Regulators expect organisations to present results in a way that links technical risks to operational outcomes, enabling management teams to make informed decisions about remediation priorities.
Effective remediation planning is an essential part of this process. Organisations should document the actions required to address identified weaknesses, assign ownership and establish realistic timescales for completion. Evidence of remediation progress must be maintained, as competent authorities may request updates or review historical records as part of their supervisory activities. For organisations that rely on third-party technology providers, DORA also requires visibility of how external remediation activities are managed and validated. By maintaining thorough, audit-ready documentation, organisations can demonstrate both control effectiveness and a commitment to continuous improvement.
Selecting an external penetration testing provider
Selecting the right DORA penetration testing provider is an important part of meeting assurance requirements. Organisations should look for partners with demonstrable experience in financial services, a strong understanding of regulatory expectations and the capability to deliver both routine penetration testing and, where required, threat-led penetration testing. Accreditation, recognised methodologies and evidence of previous work in regulated environments can help establish confidence in the provider’s technical and organisational competence.
Internal teams should ensure their chosen provider has the information necessary to define a clear scope and understand the operational context of the systems being tested. Clear communication channels, agreed escalation procedures and defined points of contact support safe execution and reduce operational risk. A well-chosen provider not only supports DORA compliance but also contributes to a more resilient, evidence-driven security testing programme.
How can Sentrium help?
Sentrium supports financial services organisations in meeting DORA penetration testing requirements through a structured, risk-based approach to penetration testing. Our team delivers routine penetration testing across infrastructure, applications, cloud and API environments, alongside advanced threat-led assessments aligned with key frameworks.
We help organisations map critical assets, define appropriate scopes and produce regulator-ready reports that clearly evidence control effectiveness. For organisations preparing for TLPT, we provide guidance throughout scoping, intelligence gathering and execution. By combining technical expertise with experience in regulated environments, Sentrium enables clients to build a resilient, compliant and well-documented security testing programme.
If you’d like to discuss your DORA readiness or upcoming testing needs, get in touch with our team to find out more about our penetration testing services.
*** This is a Security Bloggers Network syndicated blog from Cyber security insights & penetration testing advice authored by Adam King. Read the original post at: https://www.sentrium.co.uk/insights/dora-penetration-testing-and-threat-led-exercises-explained
About Author
