The Digital Operational Resilience Act (DORA) is a legislative measure of the European Union designed to enhance the digital operational resilience of financial institutions. It has been in effect since January 17, 2025. 

Drafted to ensure that banks, insurance companies, and other financial intermediaries, as well as stock exchanges and trading platforms, can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions.

DORA (& by extension, the DORA compliance testing checklist) is relevant to 20 types of financial firms, including large banks and investment companies, insurance providers, and payment institutions that operate third-party ICT services. All businesses in the EU financial sector must demonstrate their ability to operate continuously, despite being targeted by advanced cyberattacks and tech invasions.

What is DORA Testing Framework?

The DORA testing framework is an end-to-end approach for assessing digital operational resilience across the entire spectrum of digital operations. 

Unlike typical compliance drills, the answer to ‘how to test ICT risk management under DORA’ requires organizations to demonstrate operational readiness by conducting intense, scenario-based tests that closely resemble real-world events.

DORA Compliance Testing Checklist (2025 Edition)

This checklist helps you evaluate your organization’s preparedness for DORA. It brings together the essential testing areas financial entities need to strengthen digital resilience, streamline compliance efforts, and maintain operational continuity across critical ICT systems.

1. ICT Risk Management Testing

• Document and review the ICT Risk Management Framework annually.
• Secure board approval after each annual review.
• Ensure the framework defines risk tolerance levels, security objectives, and measurable KPIs
• Conduct internal ICT audits by certified auditors with ICT risk expertise.

2. Business Impact & Asset Management

• Perform business impact analyses to quantify potential loss and recovery time objectives.
• Map critical business functions to ICT infrastructure to identify single points of failure.
• Maintain an accurate inventory of ICT assets (hardware, software, networks, and cloud).
• Validate configuration accuracy and change control in the CMDB.

3. Protection, Detection & Recovery Testing

• Conduct regular automated vulnerability scans on ICT assets.
• Test access systems, encryption, endpoint protection, and network separation.
• Validate incident detection capabilities, including automated SOC alerts and human analysis.
• Test recovery capabilities to ensure timely system and data restoration.

4. Incident Management & Reporting

• Test disaster recovery and incident response processes annually.
• Conduct tabletop exercises simulating ransomware and other real-world attack scenarios.
• Involve technical, legal, and executive teams in incident response drills.
• Validate incident classification, escalation, and communication protocols.

5. Cyber Operational Resilience Testing

• Establish a continuous testing program for ICT system stability and recovery.
• Perform foundational vulnerability testing at least once a year.
• Schedule automated external scanning weekly for critical assets.
• Conduct OSS scans to identify vulnerabilities in open-source components.
• Perform network, physical, and source code security assessments.

6. Penetration Testing & TLPT

• Conduct regular penetration testing to evaluate controls, detection, and response.
• Run Threat-Led Penetration Tests (TLPT) every three years or after major system changes.
• Simulate advanced adversarial scenarios reflecting real-world threat behavior.

Explore leading penetration testing companies in India to kickstart your penetration testing

7. Third-Party Risk Management Testing

• Review ICT service provider contracts for DORA-specific clauses and risk allocation.
• Assess third-party security posture, incident track record, and operational resilience.
• Maintain an updated record of all ICT service providers and dependencies.
• Test exit strategies for critical providers, ensuring data portability and continuity.
  Perform due diligence testing when onboarding new ICT vendors.

8. Threat Intelligence & Information Sharing

• Test procedures for receiving, analyzing, and acting on threat intelligence.
• Verify integrations with industry or regulatory intelligence feeds.
• Review anonymization and protection mechanisms for shared data.
• Ensure compliance with non-disclosure and data-sharing regulations.

9. Continuous Compliance & Reporting

• Maintain audit-ready records for all ICT tests, results, and corrective actions.
• Use dashboards or reports to track remediation progress and resilience metrics.
• Align testing cadence with business operations and regulatory expectations.

Testing the ICT Risk Management Framework

Robust ICT risk management testing is the foundation of DORA compliance. The risk management framework applicable to ICT should be documented and reviewed at least annually with the board.

Conduct Annual Review and Secure Board Approval

The process to review the ICT risk management framework requires an in-depth analysis of its alignment with business objectives. The organizations need to demonstrate that their system incorporates explicit levels of risk tolerance, outlines information security objectives, and establishes KPIs. 

ICT risk management should be audited internally by professionally qualified internal auditors who possess the necessary knowledge, skills, and experience in ICT risks. Such auditors should carry out reviews in accordance with the audit plan of the financial entity. 

Analyze Business Impact and Asset Management

Business impact analysis is an essential part of testing ICT risk management. Enterprises should systematically assess the impact of ICT disruptions on key business activities and put a value on possible losses as well as recovery time objectives. 

The mapping of critical business processes to the underlying ICT infrastructure should be covered in this analysis to identify single points of failure and knock-on impacts of system failures.

All organizational ICT assets, including physical equipment such as hardware and software, network elements, and cloud resources, should be inventoried accurately. Configuration Management Database (CMDB) testing requirements include validating asset discovery procedures, verifying the accuracy of stored configurations, and ensuring effective change control.

Test for Protection, Detection, and Recovery 

Protection testing assesses security mechanisms in place to deter ICT incidents. Regular automated vulnerability scans need to be performed on ICT assets, with testing also covering access systems, cryptographic mechanisms, network separation, and endpoint protection. 

Testing of the detection capability is conducted to confirm that an organization can quickly and effectively identify and respond to ICT incidents. The testing should confirm both automated detection and human analysis processes for SOC monitoring.

Testing recovery capabilities is one of the most critical DORA requirements. Organizations must regularly verify their ability to recover systems and data within a specified timeframe. 

Testing Incident Management & Reporting

Good disaster recovery testing ensures companies can adequately respond to ICT outages, quickly and effectively address these issues with minimal impact on the business’s overall performance, and satisfy post-test reporting expectations.

Run Incident Response Plan Simulations

Tabletop exercises are an effective way to rehearse responses to DORA incident management simulations, without disrupting operations. These simulations should be realistic and accurately reflect the environment, such as ransomware-type attacks that impact critical systems serving customers. 

Companies need to have technical, legal, corporate, and senior management personnel on their incident response team. The drills should assess how well departments coordinate and how escalation procedures are followed. 

Undertake Classification and Communication Testing

The DORA compliance testing checklist provides a clear definition for diagnosing an ICT incident, and management shall continuously apply these definitions when responding to incidents. Testing should verify that classification methods appropriately capture incident severity and trigger proper reporting procedures. 

Communication testing is necessary to mitigate the significant impacts of compromised communications on ICT incidents. Organizations should test whether internal and external communication channels will function as planned. 

Cyber Operational Resilience Testing for DORA

Organizations should maintain an effective operational resilience testing program that thoroughly checks the stability and recoverability of critical ICT systems, while identifying any gaps that may exist.

Foundational Testing Requirements

Organizations must conduct foundational testing annually across multiple assessment categories. The basis for cyber operational resilience testing is the conduct of regular vulnerability assessments. 

External scanning of ICT assets supporting critical functions must be performed automatically at least once a week. Enterprises should invest in end-to-end vulnerability management programs, such as Astra Security, which offer continuous monitoring of vulnerabilities and identify gaps where adversaries could gain a next foothold.

Open-source components introduce a significant number of security challenges, including vulnerabilities that affect multiple applications across an organization. OSS (Open Source Software) scanning is the practice of examining applications to discover open-source components, assess security standing, and register known vulnerabilities.

Network security assessments under a DORA compliance testing checklist will examine the configuration of the network infrastructure (such as external perimeter defense, internal segmentation, and wireless networks). These reviews should evaluate the configuration of firewalls, intrusion detection systems, network access controls, and monitoring. 

Organizations can utilize specialized networking security platforms that provide an in-depth examination of network configurations for comprehensive testing of network security.

The physical security assessment will provide assurance that ICT assets and the infrastructure supporting them are protected against physical threats. This includes evaluating security in data centers, access to offices, device management, and the overall environment. Testers should attempt to defeat or circumvent physical security controls and assess the effectiveness of monitoring systems.

Source code reviews are used to find security holes in in-house applications. Such reviews should examine coding practices and the extent to which security controls are implemented, as well as compliance with secure development standards. 

Companies should establish review processes for both automated code analysis and manual security checks, particularly for applications that process sensitive data or enable critical business operations.

Conduct Penetration Testing and Advanced Assessments

Penetration testing provides an accurate representation of an organization’s security posture by employing the same tools and techniques that attackers/threat actors would use in a real-world scenario. 

Such tests should evaluate security controls, detection effectiveness, and response times. 

Testing ICT Third-Party Risk Management

As DORA covers 20 types of financial institutions and ICT third-party service providers, ensuring 3rd party risk management testing is critical for compliance.

Review Contractual Arrangements for DORA Clauses

Enterprises need to review and revise their contracts with ICT service providers, including those related to DORA. This involves reviewing current agreements to identify any areas that require updates, negotiating revised language that addresses DORA requirements, and finalizing risk allocation. 

Assess the Third-Party Risk

The security posture and the operational availability of an ICT service provider shall be assessed. Credit institutions shall also maintain records of their contractual relationships with third-party ICT service providers at the entity, sub-consolidation, and consolidation levels. 

This evaluation of the DORA third-party risk testing guide should assess service criticality, provider security controls, incident track record, and general risk management principles.

Test the Exit Strategies for Critical ICT Third-Party Providers

An exit strategy audit ensures that organizations can disengage from critical ICT service providers when necessary. This testing should test data portability, provider alternative arrangements, and business contingency during a migration. 

Testing in this should cover cases where one has to make quick exit decisions, such as loss of service providers or security incidents.

Run Due Diligence Tests for Onboarding New Third-Party Providers

Due diligence testing focuses on processes to assess and onboard new ICT services. This should include checks on security, references provided (whether professional or personal), and an investigation into financial stability. Testing is intended to ensure that due diligence identifies related risks and facilitates a balanced negotiation of contracts.

Testing Information & Intelligence Sharing

Validate the Procedures for Receiving and Actioning Threat Intel

Information sharing testing ensures that organizations can effectively consume, understand, and operationalize threat intelligence. This includes verifying integration with industry threat intelligence sources, evaluating analytical capabilities, and testing the process of translating intelligence into security enhancements.

Review the Anonymization and Protection Processes for Shared Data

Organizations must safeguard sensitive information and comply with non-disclosure agreements to share threat data with other entities or law enforcement. Anonymization protocols, data protection measures, and access control for standard information systems should be tested. 

How can Astra Security Help?

Astra Security empowers financial institutions to meet DORA’s ICT risk management and operational resilience requirements through an intelligent, continuous testing platform. Uniting automated vulnerability scanning, manual pentesting, and guided remediation, our team enables your organization to detect, prioritize, and resolve security gaps discovered using DORA compliance testing checklist before they impact operations.

As a CREST-certified, CERT-In empanelled, and PCI ASV vendor, Astra Security integrates seamlessly into CI/CD pipelines to support threat-led testing, regulatory reporting, and ongoing compliance with SOC 2, ISO 27001, and PCI-DSS, driving continuous resilience at engineering speed.

Key Advantages:

• Run 15,000+ automated tests across web apps, APIs, and cloud assets.
• Conduct TLPT-aligned, real-world attack simulations for DORA compliance.
• Collaborate with experts and validate remediations via smart rescans.
• Access audit-ready, executive reports to demonstrate compliance maturity.

Final Thoughts

DORA testing framework establishes a complete framework to ensure the digital operational resilience of financial services firms throughout the EU. At every level, ranging from baseline vulnerability assessments to threat-based penetration testing, organizations need to demonstrate that they can withstand and recover from ICT disturbances. 

A risk-based DORA compliance testing checklist ensures that companies allocate the necessary resources to resilience.

To succeed at DORA compliance, a shift toward proactive risk management, continuous testing, and collaborative defense is a must. Astra Security enables organizations seeking rigorous security testing and alignment with DORA guidelines to shift left.

FAQs

Who must comply with DORA?

DORA applies to all financial entities operating in the EU, including banks, insurers, investment firms, payment institutions, and ICT service providers supporting them. Any organization providing critical digital or operational services to these entities must also comply with DORA.

What is TLPT under DORA?

TLPT, or Threat-Led Penetration Testing, is a DORA requirement mandating financial entities to simulate real-world cyberattacks. It assesses critical systems, processes, and controls against advanced threats, ensuring operational resilience and compliance with DORA’s stringent ICT risk management and testing framework.

How often should operational resilience testing be done?

DORA requires financial entities to perform regular operational resilience testing at least annually. However, threat-led penetration tests must be conducted every three years or when significant system or business changes occur to validate the organization’s digital resilience posture.