{"id":39898,"date":"2025-08-03T00:34:36","date_gmt":"2025-08-02T19:04:36","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=39898"},"modified":"2025-11-21T17:37:51","modified_gmt":"2025-11-21T12:07:51","slug":"dora-penetration-testing","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/compliance\/dora-penetration-testing\/","title":{"rendered":"DORA Penetration Testing: What CTOs and CISOs Need to Know"},"content":{"rendered":"<div class=\"gb-container gb-container-e43a8917\">\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_Takeaways\"><\/span>Key Takeaways<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DORA uses penetration testing to prove that systems can withstand real-world cyber threats, not just find vulnerabilities.<\/li>\n\n\n\n<li>Every financial entity is in scope; systemically important ones face stricter, threat-led testing requirements.<\/li>\n\n\n\n<li>Tests must be risk-driven, intelligence-informed, and tied to governance, with clear documentation and remediation.<\/li>\n\n\n\n<li>Third-party vendors and non-EU providers aren\u2019t exempt if they support critical functions.<\/li>\n<\/ul>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The Digital Operational Resilience Act (DORA) is the EU\u2019s response to the increasing operational risks posed by an interconnected financial system. It\u2019s about more than cybersecurity; it\u2019s about proving that financial institutions can keep critical services running through disruption.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s where DORA penetration testing fits in. It shifts testing from a technical task to a strategic control, one that connects technology, risk, and business continuity. Understanding who is in scope, what is required, and how to operationalize it is now essential.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_DORA_Penetration_Testing\"><\/span>What is DORA Penetration Testing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DORA penetration testing is a structured, risk-driven simulation designed to emulate real-world threat conditions. Depending on the criticality of the entity and its functions, DORA defines two key layers of penetration testing: <strong>baseline annual testing<\/strong> for all financial entities, and <strong>threat-led penetration testing or TLPT<\/strong> for institutions deemed systemically important.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These requirements signal a shift in regulatory expectations from vulnerability identification to operational proof of cyber resilience.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/07\/88bcc64d-process-of-dora-penetration-test.jpg\" alt=\"Process of DORA Penetration Test\" class=\"wp-image-39909\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Article 24: Annual Testing Program for All Financial Entities<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">DORA\u2019s testing framework begins with a broad mandate that states all regulated financial entities must run an annual security test tailored to the nature, scale, and complexity of their ICT landscape, explicitly<em> <\/em>calling for the<em> prioritization of systems supporting critical functions with a threat-informed lens.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Penetration testing isn\u2019t a standalone task here. It must be part of a broader risk strategy, where you choose what to test based on the potential damage an attack could cause, whether that\u2019s from data loss, business disruption, or service downtime. Simply put, this article applies to:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. All regulated financial entities, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Banks (retail, investment, and commercial),<\/li>\n\n\n\n<li>Insurance undertakings,<\/li>\n\n\n\n<li>Investment firms and asset managers,<\/li>\n\n\n\n<li>Payment institutions and e-money institutions,<\/li>\n\n\n\n<li>Credit rating agencies,<\/li>\n\n\n\n<li>Crowdfunding service providers, and<\/li>\n\n\n\n<li>Crypto-asset service providers (if within the scope of EU MiCA regulation).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">2. Microenterprises, albeit with proportional expectations, where testing programs can be scaled down based on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Business model,<\/li>\n\n\n\n<li>Size of ICT estate, and<\/li>\n\n\n\n<li>Degree of digital exposure.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Overall, <a href=\"https:\/\/www.digital-operational-resilience-act.com\/Article_24.html\" target=\"_blank\" rel=\"noopener\">Article 24<\/a> encourages financial firms to adopt more consistent and disciplined testing practices to guide top-level decision-making, shape remediation plans, and enhance resilience over time.&nbsp;<\/p>\n\n\n<style>\n.newctaWrapper{\n  background-color: #f8f2e4; \n  padding: 40px;\n  border-radius: 10px;\n  margin: 20px 0px; \n}\n\n.ctaHead{\n  display: flex;\n  align-items: center;\n  grid-gap: 1rem;\n}\n\n.newctaHeading{\n  font-size: 36px;\n  font-weight: 600;\n  line-height: 1.1;\n  margin-bottom: 0px;\n  color: #403F3E;\n}\n\n.spanBold{\n  color: #164DB3;\n  font-weight: 700;\n}\n\n.ctaOne{\n  text-decoration: none;\n  background-color: #2F76F8;\n  color: #ffffff!important;\n  padding: 10px 25px;\n  border-radius: 6px;\n  font-weight: 600;\n}\n\n.ctaOne:hover{\n  color:#fff;\n}\n\n.ctaTwo{\n  text-decoration: none;\n  background-color: #24BC94;\n  color: #ffffff!important;\n  padding: 10px 25px;\n  border-radius: 6px;\n  font-weight: 600;\n}\n\n.ctaTwo:hover{\n  color:#fff;\n}\n\n.ctaBody{\n  display: flex;\n  align-items: flex-end;\n  grid-gap: 1rem;\n  font-weight: 500;\n  color: #403F3E;\n}\n\n.ctoImg{\n  height: 280px; \n  width: 300px;\n}\n\n@media(max-width: 768px){\n\n}\n\n@media(max-width: 576px){\n  .ctaBody{\n    flex-direction: column;\n  }\n\n  .ctoImg{\n     display: none;\n  }\n}\n<\/style>\n\n<div class=\"newctaWrapper\">\n  <div class=\"ctaHead\">\n    <img loading=\"lazy\" decoding=\"async\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/ceb80994-shield.png\" height=\"74\" width=\"70\" alt=\"shield\" \/>\n    <p class=\"newctaHeading\">Why Astra is the best in Third-Party Pentesting?<\/p>\n  <\/div>\n\n  <div class=\"ctaBody\">\n   <div>\n    <ul style=\"margin: 40px 0px 40px 20px;\">\n      <li>We\u2019re the only company that\u00a0<span class=\"spanBold\">combines automated &#038; manual pentest<\/span>\u00a0to create a one-of-a-kind PTaaS platform with SOC 2 vulnerability tags.<\/li>\n      <li>Vetted scans ensure<span class=\"spanBold\">\u00a0zero false positives.<\/span> to avoid delays.<\/li>\n      <li>Our intelligent\u00a0<span class=\"spanBold\">vulnerability scanner emulates hacker behavior with 10,000+ tests<\/span>\u00a0to help achieve continuous compliance<\/li>\n      <li>Astra\u2019s scanner helps you simplify remediation by integrating with your CI\/CD<\/li>\n      <li>Our platform helps you\u00a0<span class=\"spanBold\">uncover, manage &#038; fix<\/span>\u00a0vulnerabilities in one place<\/li>\n      <li>We offer\u00a0<span class=\"spanBold\">2 rescans<\/span>\u00a0to help you verify ptaches and generate a clean report<\/li>\n      <li>Trusted by the brands\u00a0<span class=\"spanBold\">you trust<\/span>\u00a0like Agora, Spicejet, Muthoot, Dream11, etc.<\/li>\n    <\/ul>\n    <div class=\"ctaHead\">\n      <a href=\"\/contact-us\" class=\"ctaOne\" target=\"_blank\" rel=\"noopener\">Let\u2019s Talk<\/a>\n      <a href=\"\/pentest\/pricing\" class=\"ctaTwo\" target=\"_blank\" rel=\"noopener\">Get Started<\/a>\n    <\/div>\n   <\/div>\n   <div>\n    <img decoding=\"async\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/b262d665-cto.png\" height: \"344\" width\"320\" alt=\"cto\" class=\"ctoImg\" \/>\n   <\/div>\n  <\/div>\n  \n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Article 26<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Institutions identified as having systemic relevance to financial stability are subject to TLPT, a more rigorous, intelligence-driven assessment conducted at least every three years that replicates the tactics, techniques, and procedures of advanced threat actors.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike traditional penetration testing, TLPT seeks to understand how far an attacker could realistically penetrate, what could be accessed, how long they could remain undetected, and whether incident handling mechanisms are capable of containing the threat promptly. Entities likely to qualify for TLPT include:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Top-tier banking groups and central clearing counterparties<\/strong>, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Major retail and investment banks (e.g., BNP Paribas, Deutsche Bank)<\/li>\n\n\n\n<li>Globally Systemically Important Banks (G-SIBs)<\/li>\n\n\n\n<li>Central securities depositories and settlement infrastructures<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. Market infrastructure providers<\/strong>, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stock exchanges (e.g., Euronext)<\/li>\n\n\n\n<li>Payment systems operators (e.g., TARGET2, SEPA processors)<\/li>\n\n\n\n<li>Large custodians or transaction processors<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. Significant insurance groups<\/strong>, particularly those offering services across multiple jurisdictions or managing large-scale digital underwriting and claims systems<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>4. Critical third-party providers<\/strong>, when supporting essential functions for multiple financial entities, are subject to inclusion in TLPT scoping under collaborative arrangements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Moreover, it requires resilience engineering through simulated conflict to be conducted by independent, certified testers, with oversight from national competent authorities that ensures operational transparency and a level of assurance that goes beyond internal declarations or third-party attestations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Does the RTS Clarify? (And What They Don\u2019t)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">While the above articles outline the broad contours of pentesting requirements under DORA, the <strong>Regulatory<\/strong> <strong>Technical<\/strong> <strong>Standards<\/strong> <strong>(RTS)<\/strong>, developed by the European Supervisory Authorities (ESAs), are crucial for understanding their implementation. They provide detailed clarity on operational elements while deliberately leaving room for institutional interpretation in others.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Key Areas Where RTS Provides Clarity<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Testing Scope and Frequency<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Annual <a href=\"https:\/\/www.getastra.com\/blog\/penetration-testing\/penetration-testing\/\" data-type=\"link\" data-id=\"https:\/\/www.getastra.com\/blog\/penetration-testing\/penetration-testing\/\">penetration testing<\/a> is the baseline requirement under Article 24.<\/li>\n\n\n\n<li>TLPT must be conducted <strong>at least once every three years<\/strong> for qualifying institutions.<\/li>\n\n\n\n<li>Testing must be <strong>risk-based<\/strong>, i.e., it must calibrate scope &amp; intensity per system criticality and threat exposure.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. Critical Functions and System Mapping<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RTS requires identification and documentation of critical and important functions (CIFs).<\/li>\n\n\n\n<li>Institutions must maintain an up-to-date inventory of ICT assets, including their interdependencies and third-party integrations.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. Independence and Qualifications of Testers<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Penetration testers for TLPT must be independent of the systems they test and certified by a recognized authority such as <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/crest-accredited-penetration-testing\/\">CREST<\/a>, OSCP, or <a href=\"https:\/\/www.ecb.europa.eu\/paym\/cyber-resilience\/tiber-eu\/html\/index.en.html\" target=\"_blank\" rel=\"noopener\">TIBER-EU<\/a>.<\/li>\n\n\n\n<li>Institutions must document how such independence is ensured, including policies for rotation and conflict of interest declarations.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">4. <strong>Governance and Oversight<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Testing programs must be formally approved by senior management.<\/li>\n\n\n\n<li>Results must be integrated into risk management, incident response, and remediation planning workflows to ensure effective management.<\/li>\n\n\n\n<li>TLPT exercises must include regulatory notification and, in some cases, supervisory coordination (e.g., approval of scope, observer rights).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>5. Reporting and Documentation<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Institutions are required to maintain <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/penetration-testing-report\/\">detailed <strong>testing reports<\/strong><\/a>, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Objectives and scope<\/li>\n\n\n\n<li>Methodologies used<\/li>\n\n\n\n<li>Findings and severity ratings<\/li>\n\n\n\n<li>Root cause analysis<\/li>\n\n\n\n<li>Remediation actions and timelines<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Where the RTS Leaves Room for Interpretation<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Despite the technical depth, RTS intentionally avoids excessive rigidity. This is to accommodate the diversity of entity sizes, business models, and technological architectures across the European financial sector.&nbsp;<\/p>\n\n\n\n<table id=\"tablepress-230\" class=\"tablepress tablepress-id-230 column1-color\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Area of Interpretation<\/th><th class=\"column-2\">What the RTS States<\/th><th class=\"column-3\">What This Means in Practice<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\">Granularity of TLPT Scenarios<\/td><td class=\"column-2\">Requires realistic adversary emulation but does not mandate a standard threat library or attack set.<\/td><td class=\"column-3\">Institutions must develop tailored scenarios using relevant threat intelligence and sector-specific risks.<\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Definition of \"Proportionality\"<\/td><td class=\"column-2\">Recognizes that smaller entities can scale testing efforts, but provides no fixed thresholds.<\/td><td class=\"column-3\">Microenterprises must apply judgment in reducing test scope or frequency without compromising core resilience.<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">Tooling and Methodology<\/td><td class=\"column-2\">Does not prescribe a specific framework for baseline testing.<\/td><td class=\"column-3\">Entities must select industry-accepted methodologies (e.g., OWASP, NIST, OSSTMM) aligned with ICT complexity.<\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">Integration with External Frameworks<\/td><td class=\"column-2\">Acknowledges frameworks like TIBER-EU, CBEST, and iCAST but stops short of prescribing how they should be integrated.<\/td><td class=\"column-3\">Institutions may adopt or align with these frameworks, but must ensure coherence with DORA\u2019s core requirements.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n<div class=\"gb-container gb-container-9c250209\">\n\n<p class=\"wp-block-paragraph\"><strong><em>Note:<\/em><\/strong> Microenterprises are subject to DORA&#8217;s penetration testing requirements but may apply proportionality based on size and ICT complexity. Testing can be scaled, but not skipped.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Meanwhile, Third-party ICT service providers, particularly those supporting CIFs, are increasingly under scrutiny. While not regulated directly under DORA, they may be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Included in TLPT exercises as part of cross-organizational threat scenarios.<\/li>\n\n\n\n<li>Required to support access, documentation, and coordination during testing.<\/li>\n\n\n\n<li>Subject to oversight under DORA\u2019s critical third-party oversight framework (e.g., cloud infrastructure, core banking platform, etc.)<\/li>\n<\/ul>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"TLPT_vs_Traditional_Penetration_Testing\"><\/span>TLPT vs. Traditional Penetration Testing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<table id=\"tablepress-231\" class=\"tablepress tablepress-id-231 column1-color\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Dimension<\/th><th class=\"column-2\">Traditional Penetration Testing<\/th><th class=\"column-3\">Threat-Led Penetration Testing (TLPT)<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\">Objective<\/td><td class=\"column-2\">Identify technical vulnerabilities<\/td><td class=\"column-3\">Emulate real-world threat scenarios to test resilience<\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Approach<\/td><td class=\"column-2\">Checklist- or tool-based; follows known attack paths<\/td><td class=\"column-3\">Intelligence-driven; mimics TTPs of specific threat actors<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">Scope<\/td><td class=\"column-2\">Defined by asset inventory or technical boundaries<\/td><td class=\"column-3\">Scoped to critical functions and systems based on risk\/threat mapping<\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">Frequency<\/td><td class=\"column-2\">At least annually (under DORA Article 24)<\/td><td class=\"column-3\">At least every three years (under <a href=\"https:\/\/www.digital-operational-resilience-act.com\/Article_26.html\" target=\"_blank\" rel=\"noopener\">DORA Article 26<\/a>)<\/td>\n<\/tr>\n<tr class=\"row-6\">\n\t<td class=\"column-1\">Depth<\/td><td class=\"column-2\">Surface-to-mid-layer testing<\/td><td class=\"column-3\">Deep, lateral movement across systems and users<\/td>\n<\/tr>\n<tr class=\"row-7\">\n\t<td class=\"column-1\">Testing Team<\/td><td class=\"column-2\">Internal or external testers<\/td><td class=\"column-3\">Certified, independent red teams<\/td>\n<\/tr>\n<tr class=\"row-8\">\n\t<td class=\"column-1\">Regulatory Involvement<\/td><td class=\"column-2\">Minimal, mostly internal reporting<\/td><td class=\"column-3\">Regulatory oversight and notification are required<\/td>\n<\/tr>\n<tr class=\"row-9\">\n\t<td class=\"column-1\">Test Basis<\/td><td class=\"column-2\">Technical configurations, OWASP Top 10, CVE libraries<\/td><td class=\"column-3\">Sector-specific threat intelligence and adversary emulation<\/td>\n<\/tr>\n<tr class=\"row-10\">\n\t<td class=\"column-1\">Outcomes<\/td><td class=\"column-2\">Vulnerability list and remediation plan<\/td><td class=\"column-3\">Operational insight into detection, response, and containment capability<\/td>\n<\/tr>\n<tr class=\"row-11\">\n\t<td class=\"column-1\">Post-Test Actions<\/td><td class=\"column-2\">Fix technical issues; update patch cycles<\/td><td class=\"column-3\">Improve response playbooks, escalation chains, and monitoring controls<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n<h3 class=\"wp-block-heading\">How TLPT Aligns with TIBER-EU and Intelligence-Led Testing Frameworks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">TLPT under DORA isn\u2019t a brand-new concept; it closely mirrors the <strong>TIBER-EU<\/strong> framework developed by the European Central Bank. Like TIBER-EU, TLPT is designed to simulate realistic, high-impact cyberattacks against critical business services using actual threat intelligence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s what TLPT (and TIBER-EU) have in common:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tests are based on actual threat actors, not guesswork.<\/li>\n\n\n\n<li>They look at <strong>people, processes, and technology<\/strong>, not just software.<\/li>\n\n\n\n<li>There\u2019s close coordination with regulators on scope, safety, and reporting.<\/li>\n\n\n\n<li>Internal \u201cwhite teams\u201d monitor the test to keep it controlled and safe.<\/li>\n\n\n\n<li>You get insights into your full response cycle: detection, containment, communication, and recovery.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">DORA doesn\u2019t say you <em>have<\/em> to use TIBER-EU. But if you&#8217;re already doing it\u2014or using CBEST (UK) or iCAST (Asia), you\u2019re most of the way there.<\/p>\n\n\n<style>\n\n.ctaBlockchainWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2024\/08\/838dc804-smallimgicbg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: 100%;\n  border-radius: 10px;\n  margin: 20px 0px; \n}\n\n.pentestHeading{\n  color: #575757;\n  font-size: 24px;\n  font-weight: 600;\n  color: #575757;\n  max-width: 450px;\n}\n\n.ctaBlockchainHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n\n.ctaOne {\n    text-decoration: none;\n    background-color: #2F76F8;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n\n.ctaBlockchainImg{\n  position: absolute;\n  bottom: 0px;\n  right: 10px;\n  height: 250px;\n  width: 240px;\n}\n\n@media(max-width: 768px){\n\n}\n\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n\n   .ctaBlockchainImg{\n     display: none;\n   }\n}\n\n<\/style>\n\n<div class=\"ctaBlockchainWrap\">\n  <p class=\"pentestHeading\">No other pentest product combines <span class=\"spanBoldBlue\">automated scanning + expert guidance like we do.<\/span> <\/p>\n  <p style=\"font-size: 16px; line-height: 1.5;\">Discuss your security <br \/> needs &#038; get started today!<\/p>\n\n  <div class=\"ctaBlockchainHead\">\n    <a href=\"\/contact-us\" class=\"ctaOne\">Schedule your call<\/a>\n  <\/div>\n\n  <img decoding=\"async\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" class=\"ctaBlockchainImg\" \/>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Who Can Perform TLPT?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">DORA sets strict rules about who\u2019s allowed to perform TLPT. Only qualified, independent red teams are permitted. Here\u2019s what\u2019s required:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Independence:<\/strong> The testers must have no role in building or managing the systems being tested.<\/li>\n\n\n\n<li><strong>Certification:<\/strong> Teams must be credentialed by recognized bodies, such as:\n<ul class=\"wp-block-list\">\n<li>TIBER-EU certified providers<\/li>\n\n\n\n<li>CREST-accredited red teams<\/li>\n\n\n\n<li>OSCP\/OSCE-certified professionals with red teaming experience<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Experience:<\/strong> Vendors must demonstrate a proven track record with high-stakes, regulated systems, particularly those associated with critical infrastructure.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In addition:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Institutions must carry out formal <strong>due diligence<\/strong> on TLPT vendors.<\/li>\n\n\n\n<li>Vendor selection should be <strong>documented and justifiable<\/strong>.<\/li>\n\n\n\n<li>Regulators may require <strong>involvement in scope-setting<\/strong>, and firms must be prepared to <strong>share<\/strong> <strong>results<\/strong> as part of the oversight process.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Are_You_on_the_Hook_Who_Must_Comply_with_DORAs_Testing_Mandates\"><\/span>Are You on the Hook? Who Must Comply with DORA\u2019s Testing Mandates<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/07\/7d2a433b-dora-penetration-testing-scope-matrix.jpg\" alt=\"DORA Penetration Testing Scope Matrix\" class=\"wp-image-39910\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">DORA\u2019s testing requirements apply not only to banks and insurance firms but also to other financial institutions. They cover the full operational footprint of the EU financial sector, including vendors, platforms, and non-EU tech providers that enable critical functions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Financial Entities: From Systemically Important to Payment Startups<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">All regulated financial entities in the EU fall under DORA. This includes major banks and insurers, as well as fintechs, payments firms, and cryptocurrency platforms. Scale does not exempt. If you operate in the EU financial system, you\u2019re expected to test ICT resilience proportionately, but rigorously.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SaaS &amp; ICT Vendors: Direct or Indirect Responsibility<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Vendors that enable or host critical functions, via APIs, cloud services, or core infrastructure, are increasingly within scope. Even without direct regulatory exposure, you may be required to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Participate in a client\u2019s threat-led test<\/li>\n\n\n\n<li>Support secure access and test environments<\/li>\n\n\n\n<li>Provide evidence of your testing discipline<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Expect DORA-aligned clauses in contracts and security reviews. Engineering and product leaders must design systems for testability and transparency, not just performance. To assess and operationalize vendor readiness:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Map critical dependencies<\/strong> to understand which vendors support regulated functions.<\/li>\n\n\n\n<li><strong>Update contracts<\/strong> to include provisions for testing participation, data sharing, and access to simulations.<\/li>\n\n\n\n<li><strong>Request evidence<\/strong> of their testing programs and how they support TLPT readiness (e.g., isolated environments, audit logs).<\/li>\n\n\n\n<li><strong>Evaluate coordination capability,<\/strong> how vendors will respond to simulated threats, manage communications, and support investigation.<\/li>\n\n\n\n<li>Include third parties in <strong>joint tabletop exercises<\/strong> to validate their integration in your detection and response chain.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">DORA treats digital resilience as a shared obligation. Your vendors are either an extension of your strength or a source of unmanaged risk.<\/p>\n\n\n<div class=\"gb-container gb-container-e7c5d7cf\">\n<div class=\"gb-container gb-container-ab421196\">\n\n<div class=\"gb-headline gb-headline-4ab8b3a2 gb-headline-text\">See real-world security assessments in action. <span style=\"color:#3078FE;\">Download our free sample pentest report.<\/span><\/div>\n\n\n<div class=\"gb-container gb-container-3fe8d7c6\">\n\n<a class=\"gb-button gb-button-d64ca209 gb-button-text\" href=\"https:\/\/www.getastra.com\/contact-us\" target=\"_blank\" rel=\"noopener noreferrer\">Download Report<\/a>\n\n<\/div>\n<\/div>\n\n<div class=\"gb-container gb-container-6a88c5dd\">\n<div class=\"gb-container gb-container-138f55b1\">\n<div class=\"gb-container gb-container-22c8a380\">\n<div class=\"gb-container gb-container-c1f45f6d\">\n\n<figure class=\"gb-block-image gb-block-image-daf3dd39\"><img loading=\"lazy\" decoding=\"async\" width=\"1646\" height=\"1805\" class=\"gb-image gb-image-daf3dd39\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png\" alt=\"\" srcset=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png 1646w, \/cdn-cgi\/image\/width=1401,height=1536,fit=crop,quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png 1401w\" sizes=\"auto, (max-width: 1646px) 100vw, 1646px\" \/><\/figure>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">What If You\u2019re a Non-EU Company Serving EU Banks?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Location offers no immunity. If you serve EU-regulated clients, you may be asked to support red teaming exercises, enable access for supervised testing, or demonstrate resilience controls.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Prepare to offer isolated test environments, support client-led simulations, and show readiness for joint operational testing. DORA is quickly becoming a procurement filter, where non-compliance will impact access to European financial clients.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The \u201cCriticality\u201d Test: What Triggers TLPT<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Supervisors apply a risk-based lens to determine who must undergo threat-led testing. Factors include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Role in critical transactions or services<\/li>\n\n\n\n<li>Interconnection with other institutions<\/li>\n\n\n\n<li>Operational impact in case of disruption<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If your system enables core processes, such as payments, trading, and credit decisions, you may be subject to TLPT, either directly or through client integration.<\/p>\n\n\n<div class=\"gb-container gb-container-3cbd7f5a\">\n\n<h3 class=\"wp-block-heading\">Subcontractors, Shared Risk, and the Compliance Blind Spot<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">DORA makes it clear that regulated entities are accountable for the resilience of their vendors. If your service underpins theirs, you may be pulled into their testing scope.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Implications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SLAs and contracts must support test participation<\/li>\n\n\n\n<li>Architecture must allow safe, observable testing<\/li>\n\n\n\n<li>Test refusal or fragility could become a deal-breaker<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Resilience is no longer internal. It\u2019s shared and visible.<\/p>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Regulators_Expect_Reporting_and_Documentation_Requirements\"><\/span>What Regulators Expect: Reporting and Documentation Requirements<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<table id=\"tablepress-232\" class=\"tablepress tablepress-id-232 column1-color\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Regulatory Requirement<\/th><th class=\"column-2\">What It Means<\/th><th class=\"column-3\">Documentation Required<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\">Defined Testing Strategy<\/td><td class=\"column-2\">Annual testing aligned with risk profile and business functions<\/td><td class=\"column-3\">Testing policy, annual test plan, risk classification of ICT assets<\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Clear Scope and Criticality Mapping<\/td><td class=\"column-2\">Focus on systems supporting critical functions<\/td><td class=\"column-3\">Asset inventory with business impact mapping, critical function registry<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">Qualified &amp; Independent Test Execution<\/td><td class=\"column-2\">Internal or external testers must be qualified and demonstrably independent<\/td><td class=\"column-3\">Tester credentials, independence declarations, vendor assessments<\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">Methodology Transparency<\/td><td class=\"column-2\">Use of structured frameworks for pen testing and TLPT<\/td><td class=\"column-3\">Methodological framework (e.g., TIBER-EU, NIST), test scripts, threat models<\/td>\n<\/tr>\n<tr class=\"row-6\">\n\t<td class=\"column-1\">Evidence of Testing and Findings<\/td><td class=\"column-2\">Testing must generate actionable insights and demonstrate coverage<\/td><td class=\"column-3\">Test reports, logs, screenshots, lateral movement paths, root cause summaries<\/td>\n<\/tr>\n<tr class=\"row-7\">\n\t<td class=\"column-1\">Remediation and Risk Treatment<\/td><td class=\"column-2\">Gaps must be tracked, prioritized, and resolved on time<\/td><td class=\"column-3\">Remediation tracker, ticketing logs, sign-offs, risk acceptance statements<\/td>\n<\/tr>\n<tr class=\"row-8\">\n\t<td class=\"column-1\">Governance and Reporting Oversight<\/td><td class=\"column-2\">Senior management must review and own testing outcomes<\/td><td class=\"column-3\">Board or committee briefings, risk reports, corrective action dashboards<\/td>\n<\/tr>\n<tr class=\"row-9\">\n\t<td class=\"column-1\">Regulator Coordination (TLPT)<\/td><td class=\"column-2\">Pre-approval and observation may be required for high-impact institutions<\/td><td class=\"column-3\">Communications with competent authorities, scope sign-off, observer notes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Can_Astra_Help\"><\/span>How Can Astra Help?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As a CREST-accredited and PCI ASV-certified platform, <a href=\"https:\/\/www.getastra.com\/contact-us\">Astra Security<\/a> helps organizations meet DORA\u2019s security testing and resilience requirements through continuous, automated, and manual VAPT. Its PTaaS platform offers web app, API, and cloud infrastructure testing, all mapped to real-world risk and compliance needs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1238\" height=\"842\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/07\/18de365f-image.png\" alt=\"Astra DORA penetration testing\" class=\"wp-image-39911\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">With 15,000+ test cases, expert-validated findings, and audit-ready reports, Astra enables ongoing threat exposure management, fix validation, and incident readiness. Built-in CI\/CD integration, role-based access, and compliance tracking ensure that security is embedded into digital operations, as mandated by DORA.<\/p>\n\n\n<style>\n.astraPentestWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2024\/08\/838dc804-smallimgicbg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: auto;\n  border-radius: 10px;\n  margin: 20px 0px;\n}\n.pentestHeading{\n  color: #575757;\n  font-size: 24px;\n  font-weight: 600;\n  color: #575757;\n  max-width: 450px;\n}\n.ctaHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n.ctaOne {\n    text-decoration: none;\n    background-color: #2F76F8;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n.animeImg{\n  position: absolute;\n  bottom: 0px;\n  right: -20px;\n  height: 250px;\n  width: 240px;\n}\n@media(max-width: 768px){\n}\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n   .ctaHead{\n     flex-direction: column;\n     align-items: flex-start;\n   }\n   .animeImg{\n    display: none;\n  }\n}\n<\/style>\n<div class=\"astraPentestWrap\">\n<p class=\"pentestHeading\">Astra Pentest is built by the team of experts that helped\u00a0secure <span class=\"spanBoldBlue\">Microsoft, Adobe, Facebook, and Buffer<\/span><\/p>\n\n<div class=\"ctaHead\"><a class=\"ctaOne\" href=\"\/contact-us\" target=\"_blank\" rel=\"noopener\">Book a Demo<\/a>\n<a class=\"ctaTwo\" href=\"\/pentest\/pricing\" target=\"_blank\" rel=\"noopener\">View Pricing<\/a><\/div>\n<img decoding=\"async\" class=\"animeImg\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" \/>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Final_Thoughts\"><\/span>Final Thoughts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DORA penetration testing is a signal that operational resilience is now a board-level, engineering-deep mandate. The challenge ahead isn\u2019t whether to act, but how quickly and confidently you can align testing with real-world threats and regulatory scrutiny.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From here, the priority is clarity: clarity on what is critical, who is responsible, and how resilience will be demonstrated under pressure. Organizations that treat this as a strategic capability (not a regulatory chore) will be the ones trusted to lead in a digitized, high-stakes financial system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs\"><\/span>FAQs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1753537483438\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">How is TLPT different from regular penetration testing?\u00a0<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>TLPT simulates real-world attacks based on current threat intelligence and adversary tactics. Unlike regular pentests, which are scoped and checklist-driven, TLPT tests resilience by mimicking sophisticated threat actors to assess detection, response, and recovery capabilities across systems, people, and processes.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753537495552\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Who needs to do TLPT under DORA?\u00a0<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Under DORA, TLPT is mandatory for critical financial entities designated by European supervisory authorities. This includes major banks, payment institutions, clearing houses, and certain ICT third-party providers whose disruption could impact financial stability or operational continuity across the EU.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753537507667\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">What\u2019s the testing frequency under DORA?\u00a0<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Entities must conduct TLPT at least once every three years, unless regulators specify otherwise. However, frequency may be adjusted based on risk level, previous test outcomes, or material changes in the threat landscape or operational structure.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753537525790\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Does DORA apply to SaaS vendors?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes, if your SaaS solution supports core financial operations or serves regulated financial entities, DORA may apply. ICT third-party service providers, including cloud and SaaS vendors, may fall under oversight, especially if they\u2019re deemed critical to financial sector stability or continuity.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Key Takeaways The Digital Operational Resilience Act (DORA) is the EU\u2019s response to the increasing operational risks posed by an interconnected financial system. It\u2019s about more than cybersecurity; it\u2019s about proving that financial institutions can keep critical services running through disruption. That\u2019s where DORA penetration testing fits in. It shifts testing from a technical task &#8230; <a title=\"DORA Penetration Testing: What CTOs and CISOs Need to Know\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/compliance\/dora-penetration-testing\/\" aria-label=\"Read more about DORA Penetration Testing: What CTOs and CISOs Need to Know\">Read more<\/a><\/p>\n","protected":false},"author":111,"featured_media":39908,"comment_status":"open","ping_status":"0","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[696],"tags":[],"class_list":["post-39898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/39898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/111"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=39898"}],"version-history":[{"count":4,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/39898\/revisions"}],"predecessor-version":[{"id":43661,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/39898\/revisions\/43661"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/39908"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=39898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=39898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=39898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}