DORA
DORA Penetration Testing
ICT risk testing aligned to the Digital Operational Resilience Act - for UK and EU financial entities, third party providers, and the systems they depend on.
UK-based testers · ICT third party services experience · Red teaming aligned to TIBER-EU principles
Why this matters
Why DORA changed financial sector testing.
The Digital Operational Resilience Act (Regulation EU 2022/2554) has applied since 17 January 2025. It harmonises ICT risk requirements across EU financial entities - and through extraterritorial scope, captures any ICT third party service provider supplying in-scope EU entities, regardless of where the provider is based.
DORA's testing requirements sit in Chapter IV (Articles 24-27):
- Article 24 - appropriate testing of ICT systems, applications, and infrastructure on a risk-based basis, at least annually for critical systems
- Article 25 - testing must include vulnerability assessments, network security assessments, scenario-based tests, and penetration testing
- Article 26 - Threat-Led Penetration Testing (TLPT) - required at least every 3 years for entities identified as significant by competent authorities, performed under TIBER-EU framework principles
- Article 27 - requirements for the testers themselves: independence, expertise, certifications, no conflicts of interest
A practical consequence: many UK financial firms and their UK-based ICT providers are now subject to DORA via their EU customer base, even though the UK isn't itself in DORA's primary scope.
What gets tested - and which Pentiq service covers it.
DORA's testing requirements sit in Chapter IV (Articles 24-27). Here's how those requirements map to our services.
| Control area | What's assessed | Pentiq service |
|---|---|---|
| Article 24 - Annual testing of critical ICT systems | Risk-based testing programme | External & Internal Infrastructure Testing, Web Application Testing |
| Article 25 - Vulnerability assessments | Regular identification of weaknesses | Vulnerability Scanning Subscription |
| Article 25 - Network security assessments | Network architecture and control validation | Internal Infrastructure Testing |
| Article 25 - Scenario-based testing | Testing against realistic attack scenarios | Red Teaming |
| Article 25 - Penetration testing | Manual penetration testing by qualified testers | Manual Penetration Testing across services |
| Article 26 - Threat-Led Penetration Testing (TLPT) | Triennial, intelligence-led, TIBER-EU aligned | Red Team / TLPT (aligned to TIBER-EU principles - formal accreditation is jurisdiction-specific) |
| Article 27 - Tester requirements | Independent, certified, no conflicts | In-house testers, organisational independence |
Scope my test
Get a tailored DORA test scope.
Tell us where DORA reaches your operations and we'll come back with a risk-based engagement - usually within one working day.
What's in scope?
Select everything you'd like tested. Pick more than one if it applies.
Prefer to talk first? Book a 20-minute scoping call ->
Engagement
What a Pentiq DORA engagement looks like.
Scoping
A short call with your technical contact to confirm scope, agree the test plan, and book delivery dates against your DORA timeline.
Testing
Testing runs against the agreed scope. Findings appear in your Pentiq portal in real time, so your team can start triaging without waiting for a final report.
Reporting & remediation
Final report delivered through the portal: executive summary, technical findings mapped to DORA control areas, and remediation guidance for each issue.
Optional re-test
We re-test fixed findings before your DORA assessment so you walk in clean.
Engagement length depends entirely on scope - we confirm a realistic timeline during the scoping call.
Common questions
Frequently asked questions.
Does DORA apply to us if we're UK-based?
DORA applies to EU financial entities directly. UK financial entities are not in primary scope - but if you're a UK ICT third party service provider to EU financial entities, or a UK financial entity with EU subsidiaries or operations, DORA's requirements reach you contractually and operationally. The FCA's UK operational resilience framework also overlaps significantly with DORA.
What's the difference between Article 24 testing and Article 26 TLPT?
Article 24 is the annual baseline - vulnerability assessments, pentests, network testing across your critical ICT systems. Article 26 TLPT is a separate, triennial, intelligence-led red team exercise, performed under TIBER-EU framework principles, only required for entities designated as significant by competent authorities. Most entities have Article 24 obligations; far fewer have Article 26 obligations.
Are you a TIBER-EU accredited provider?
TIBER-EU accreditation is jurisdiction-specific and the framework continues to evolve as DORA-aligned national implementations roll out. We deliver red team and threat-led testing aligned to TIBER-EU principles - for formal TIBER-EU engagements, we'll confirm accreditation fit for your specific competent authority during scoping.
Our ICT systems are partly run by third parties - does the test cover those?
DORA's third party risk requirements (Articles 28-30) sit alongside the testing requirements. You can't compel your ICT third parties to be tested under your contract unless your contract says so - which is why DORA mandates specific contract terms with critical ICT providers. We can help define what's in your direct test scope vs. what should be evidenced through third party assurance.
How does DORA testing relate to existing FCA / PRA expectations?
The UK regulators' operational resilience framework (PS21/3, SS1/21) overlaps significantly with DORA on testing expectations, especially around important business services and severe-but-plausible scenarios. A well-designed test programme typically satisfies both.
Is annual testing enough?
Article 24 specifies at least annually for critical systems. Higher-risk or rapidly changing systems often warrant more frequent testing - quarterly vulnerability scanning and an annual deep test is a common DORA-aligned pattern. The exact cadence is risk-based and should be documented.
Who within the firm needs to see the report?
DORA expects ICT risk to be a Board-level concern. Our reports include an executive summary suitable for Board-level review and detailed findings for technical teams - and the portal allows different access levels for different audiences.