The EU's Digital Operational Resilience Act (DORA) took effect in January 2025, financial institutions and their ICT providers must prepare to meet the regulation’s stringent Threat-Led Penetration Testing (TLPT) requirements.

We provide an in-depth overview of DORA’s TLPT framework, offering practical guidance on how to integrate offensive security services to meet regulatory demands and ensure resilience against cyber threats through penetration testing.

You will gain a clear roadmap for achieving DORA compliance through a strategic approach to testing, threat intelligence, and vulnerability remediation. 

Key Lessons Learned 

What is the Digital Operational Resilience Act (DORA) 

• DORA’s goal is to address a critical gap in EU financial regulation and to create a more resilient financial ecosystem and safeguard against information and communication technology (ICT)-related incidents. It went into effect on January 17, 2025.
• DORA applies to any financial institution doing business in the EU, along with entities designated by the European Supervisory Authority (ESA) as “critical” third-party providers (CTPP) – i.e. any ICT provider whose services are deemed essential to the operation and resilience of an entity.

Penalties

• Failure to comply will result in swift penalties
• However, as Trevin Edgeworth said, “The real cost of noncompliance is [the potential] reduction of your security posture and the resulting potential security incidents.”

Managing Third-Party Risk

• Start by performing a gap analysis and risk assessment on your organization and every third party that you work with.
• A tabletop discussion with key stakeholders and senior management, though not specifically required by DORA, is a great way to play out various scenarios and prioritize risks based on impact.
• Great questions to ask:
  • What would be the outcome if this provider is either not available or is compromised?
  • What is our exit strategy? Do we have alternative vendors identified? DORA recognizes this kind of redundancy as a contributor to resilience.
  • Do we have data portability to move to another provider if needed?

Digital Operations Resilience Testing (DORT)

• DORT is the overarching framework encompassing all the DORA testing requirements.
• These must be completed annually, at a minimum. This includes things you may already be doing, such as vulnerability assessments, scenario-based testing, and pentesting.

Threat-Led Penetration Testing (TLPT)

• TLPT is a rigorous, advanced form of pentesting under the umbrella of DORT.
• At its core, it is objective-based, adversary emulation. Think of it as synonymous with red teaming.
• Unlike other traditional red teaming, TLPT starts with attack objectives: Can I pull off an unauthorized wire transfer? Can I delete a mortgage? Can I jackpot an ATM and cause it to start spitting out cash? This allows you to not only test the technology but also consider other vulnerabilities (i.e. paper-based system, picking locks, social engineering).
• The red team will map to a specific attacker profile and use architecture and attack graphing to simulate realistic attack scenarios based on the attacker's tactics, techniques, and procedures (TTP).
• DORA requires one TLPT every three years. At least every third test must be done by an external entity. However, given how quickly environments change, we recommend one red team per line of business per year.
• TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is a framework that can be used to fulfill DORA’s TLPT requirements, alternating red and purple teaming to continuously learn and improve.

DORA is a thick regulation but one that will benefit your organization and help you meet other regulations as well, such as NIS2 and TIBER-EU. It is important to start early and understand the full requirements. Dive deeper into DORA and engage with Bishop Fox to help you meet the DORT and TLPT requirements.