The Digital Operational Resilience Act (DORA) is an EU regulation that has applied directly in all EU member states since 17 January 2025. It requires financial companies and their critical IT service providers to systematically test and demonstrate digital operational resilience. DORA replaces and harmonises previously fragmented national requirements — directly affecting more than 22,000 organisations across the EU.
DORA has been in force since 17 January 2025 — the transition period has ended and regulators are actively checking compliance.
The regulation applies directly without national implementing legislation — the BaFin and ECB are monitoring compliance.
IT service providers, cloud providers, and data centres may also be DORA-obligated if they provide critical functions for financial entities.
| Criterion | Art. 25 DORA | Art. 26 DORA (TLPT) |
|---|---|---|
| Target group | All DORA-obligated entities | Systemically important institutions |
| Test type | Penetration test / VA | TLPT (TIBER-EU framework) |
| Frequency | Annual | Every 3 years |
| Our service | ✓ Fully covered | — Outside our scope |
| Effort | Manageable, plannable | Very high, accredited team required |
DORA covers virtually the entire financial industry and its IT service providers. If your organisation operates in one of the areas below, you are very likely subject to DORA obligations.
Art. 25 DORA defines specific requirements for the scope and content of security tests. Our pentest covers all relevant areas and maps every finding directly to the corresponding DORA articles.
Segmentation, firewall configurations, exposed services, and privileged access — we test whether your network meets the requirements for digital operational resilience.
Active Directory, privileged accounts, MFA enforcement, and lateral movement opportunities — central attack vectors in the financial sector.
Web applications, banking portals, APIs, and internal tools: we test against OWASP Top 10 and financial-sector-specific vulnerabilities.
Access control for server rooms, data centres, and sensitive areas — physical attack vectors are also relevant under DORA.
Phishing, vishing, and pretexting targeting your employees — human vulnerabilities are the most common entry point for attackers in the financial sector.
DORA explicitly requires the review of critical IT service providers. We test remote access points, API interfaces, and third-party integrations.
We guide you from scope definition to an audit-ready report — structured, on time, and fully mapped to the relevant DORA articles.
Joint definition of the systems, applications, and processes to be tested. We identify upfront which DORA articles apply to your scope.
OSINT on your organisation, network footprinting, and planning of realistic attack paths — the way real attackers in the financial sector operate.
Manual testing within the agreed scope: infrastructure, Active Directory, web applications, physical security, and social engineering.
All findings are mapped directly to the corresponding DORA articles — for maximum auditability with regulators and internal reviewers.
Detailed pentest report with CVSS ratings, DORA mapping, prioritised remediation recommendations, and an executive summary for the board and senior management.
We combine all relevant attack vectors into a comprehensive DORA assessment — from infrastructure to the human factor, everything mapped to Art. 25.
Network segmentation, firewall configurations, Active Directory security, and remote access: technically verified and directly mapped to DORA Art. 25.
Learn moreBanking portals, customer applications, and internal APIs: we test against OWASP Top 10 and financial-sector-specific vulnerabilities including session hijacking and insecure direct object references.
Learn morePhishing simulations, vishing, and physical access tests: we verify whether your staff and access control systems withstand real-world attacks.
Learn more
Think like an Attacker, Act as a Partner