Since January 17, 2025, financial companies have been required to comply with the requirements of Regulation (EU) 2022/2554, better known as DORA. This regulation creates a harmonized legal framework to strengthen digital operational resilience across the EU financial sector and address the growing risks posed by cyberattacks and ICT operational disruptions. To achieve this goal, DORA establishes a complex set of rules, supplemented by detailed technical regulatory standards (RTS) from the European Supervisory Authorities (ESAs). A key pillar for ensuring this resilience is the way companies test their systems. Overall, DORA introduces more far-reaching, uniform, and specific testing requirements for financial companies than previously existed. While earlier requirements were often fragmented or left room for interpretation, DORA now requires a structured and comprehensive testing program. This ranges from regular basic tests to sophisticated, threat-led penetration tests (TLPTs) for systemically important institutions. These new obligations require a detailed examination of the regulation and the associated RTS. The following section therefore outlines the general requirements for the testing program and what needs to be considered for the extended tests, known as TLPTs.
General DORA Requirements for Stress Tests
Financial institutions that are not micro-enterprises must establish, maintain, and review a robust and comprehensive program for testing digital operational resilience. This program is an integral part of the ICT risk management framework (in accordance with Art. 6 DORA). The main objective of the testing program is to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies, and gaps in digital operational resilience, and implement corrective measures promptly. Financial firms must take a risk-based approach when executing the testing program. In doing so, they must give due consideration to the evolving ICT risk landscapes, specific risks to which the firm is exposed, and the criticality of information assets and services provided. The program must include a range of assessments, tests, methods, procedures, and tools, including vulnerability assessments and scans, open-source analysis, network security assessments, gap analyses, physical security reviews, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing. Appropriate testing must be performed at least once a year on all ICT systems and applications that support critical or important functions. The tests should be performed by independent internal staff or external personnel. The findings and challenges arising from the digital operational resilience tests must be continuously and properly incorporated into the ICT risk assessment process. They serve as the basis for appropriate reviews of the relevant components of the ICT risk management framework.
Advanced Testing: Threat-Led Penetration Testing (TLPT)
Beyond general testing, DORA requires certain financial companies to perform advanced testing known as threat-led penetration testing (TLPT). The legal basis for this can be found in Articles 26 and 27 of DORA. TLPT is another tool for strengthening operational resilience. DORA is guided by international standards such as the G7 Fundamental Elements and frameworks such as TIBER-EU, and defines TLPT in Article 3(17) DORA as a framework that replicates the tactics, techniques, and procedures of real attackers who are perceived as genuine cyber threats and enables a controlled, tailored, knowledge-based (red team) test of the financial company’s critical live production systems. The requirements of Articles 26 and 27 DORA are supplemented and specified in detail by Delegated Regulation (EU) 025/1190 (RTS on TLTP). Which companies must carry out TLTPs is determined by BaFin as the competent supervisory authority or, in the case of significant credit institutions, by the ECB. The criteria for classification are set out in Article 28(8), subparagraph 3, DORA. The impact of the financial company in question, its systemic nature, and its ICT risk profile based on the criteria set out in Article 2 of the RTS on TLPT are taken into account. Micro-enterprises are exempt from the obligation to perform TLPTs.
Attorney Anton Schröder
subscribe to Newsletter-
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage. -
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
