Threat Led Pen Testing and DORA

DORA and the future of penetration testing for UK Financial Services Organizations

by Darren Anderson

The Digital Operational Resilience Act (DORA), arriving for January 2025 and introduced by the European Union, aims to strengthen the IT resilience of financial services organizations by setting regulatory requirements for digital security and risk management. DORA places a significant emphasis on cybersecurity, operational risk management, and third-party risk, making penetration testing (pen testing) a critical component of compliance.

In addition to DORA applying to UK-based entities that undertake any of the broad range of financial activities captured by the Act within the EU, “Critical ICT Third Party Providers” (CTTPS) to Europe’s financial firms will be subject to DORA’s requirements as well. Even providers not deemed CTTPS will likely see requirements pushed down the supply chain and built into their contractual relationships with financial firms, as is often the case today.

It’s expected that DORA will impact thousands of UK entities, some of which will be subject to these kinds of standards for the first time.

DORA compartmentalises digital operational resilience into five areas – risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information and intelligence sharing.

Penetration testing under DORA will shift from being a periodic or optional activity to a mandated, structured process. Here’s how DORA is expected to impact penetration testing:

1. Mandatory Regular Penetration Testing

DORA requires financial entities to ensure the integrity and security of their digital systems through rigorous testing. Penetration testing, under the new regulation, becomes not just an internal best practice but a legal requirement. The frequency of tests will increase, with the focus on regular, systematic testing to identify vulnerabilities in digital infrastructures.

This testing will need to cover various attack vectors, including web applications, network security, mobile apps, and cloud services. With this added emphasis, FSOs will need to plan for regular pen tests and integrate them into their risk management strategies.

Remember: A vulnerability scan is NOT a penetration test

The mandatory nature of these tests introduces challenges and opportunities. Financial services organizations will need to expand their budgets for cybersecurity initiatives, allocate resources for ongoing testing, and implement a continuous improvement loop. Regular testing aligns with the core principles of proactive cybersecurity, ensuring systems remain resilient against evolving threats.

Moreover, FSOs will be held accountable for implementing testing results into their broader risk management frameworks. This extends the value of pen testing beyond a standalone activity, embedding it within a dynamic process that contributes directly to organizational resilience.

2. Threat Led PenTesting (TLPT)

DORA encourages the adoption of Threat-Led Penetration Testing (TLPT), a form of penetration testing that simulates real-life attacks using tactics and techniques employed by threat actors. TLPT tests go beyond ‘basic’ penetration testing (and certainly generic vulnerability scanning) by mimicking the behaviour of advanced persistent threats (APTs) to assess how an organization’s defences would hold up in a real-world attack scenario.

This approach may require FSOs to adopt red team exercises, where pen testers simulate adversarial attacks, particularly on critical systems. TLPT is intended to identify weaknesses that traditional security measures or more basic penetration tests might miss.

TLPT requires specialized expertise, tools, and methodologies. Financial institutions will need to partner with security providers skilled in adversarial simulations or build in-house teams capable of such testing. The operationalization of TLPT might also demand cultural shifts, where organizations embrace the findings of simulated attacks as opportunities for growth rather than operational failures.

3. Increased Focus on Third-Party Providers

DORA extends beyond an organization’s internal systems to the entire digital supply chain. FSOs must ensure that third-party service providers, such as cloud vendors or payment processors, are also resilient to cyberattacks. This adds a new dimension to penetration testing: FSOs will need to perform more rigorous assessments of their vendors’ security posture. Penetration testing will need to include the analysis of third-party risks and possibly extend to the vendors themselves. FSOs may require their partners to submit to assessments (albeit many do this now) as part of contractual agreements, or alternatively, assess the results of their providers’ own tests to ensure security standards are met.

This focus on third parties creates cascading effects across the financial ecosystem. Vendors, even those outside the direct scope of DORA, will feel the pressure to meet heightened security expectations. Organizations must evaluate not only the technical aspects of third-party security but also the policies, incident response procedures, and operational resilience of their partners.

Furthermore, the increasing interdependence between financial institutions and their supply chains makes third-party resilience testing an ongoing process rather than a one-time evaluation. FSOs may invest in platforms that automate vendor risk assessments or utilize shared frameworks for vendor security evaluations.

4. Real-Time Reporting and Documentation

Penetration testing under DORA will require more detailed documentation and real-time reporting to meet regulatory scrutiny. Testing reports will need to be comprehensive, covering identified vulnerabilities, their potential impact, and steps taken to mitigate the risks. DORA’s reporting requirements are designed to increase transparency, meaning that penetration tests will likely need to provide evidence of continuous monitoring and ongoing mitigation efforts, and demonstrate that identified vulnerabilities are addressed in a timely manner. Regulatory bodies will be paying attention to how vulnerabilities identified in penetration tests are tracked, remediated, and closed. This will prompt FSOs to adopt more automated and real-time solutions for tracking vulnerabilities and remediation efforts.

In this context, real-time reporting tools play a crucial role. Modern penetration testing solutions offer dashboards, automated notifications, and integration with broader incident management systems. These tools enable organizations to generate audit-ready reports quickly, reducing the burden of compliance while maintaining operational focus.

Moreover, real-time reporting ensures that vulnerabilities are not just identified but are acted upon immediately. This minimizes the window of exposure and demonstrates to regulators and stakeholders that security is an active and ongoing commitment.

5. Adherence to Standards and Frameworks

DORA encourages financial services firms to align their cybersecurity practices with recognized standards, such as the NIST Cybersecurity Framework or ISO 27001. Penetration testing will need to conform to these standards, focusing on areas like access control, encryption and network segmentation.

Adherence to these frameworks provides a structured approach to resilience and creates a common language for security. For organizations operating across borders, these standards simplify the compliance process by aligning local requirements with global best practices.

To meet these expectations, FSOs must ensure that their penetration testing programs are mapped to relevant controls and requirements. Testing teams must demonstrate how their methodologies align with regulatory frameworks and provide evidence that findings are used to enhance security posture in measurable ways.

The integration of standards into penetration testing also raises the bar for vendors and security providers. Organizations will look to partner with firms that can certify compliance with recognized frameworks, ensuring seamless alignment with DORA’s requirements.

OccamSec can provide both threat led penetration testing and an automated pen testing solution, Incenter, to meet these requirements, and more.

“Incenter is a total game changer in the market. There are only a handful of companies doing continuous pen testing, but OccamSec’s model is completely  different from anything I’ve seen.” 

This is from a security leader at our FS client here in the UK, managing over $1.5 trillion in assets, using Incenter for ongoing penetration testing, with on-demand reporting capability. They avoided millions in fines and met the business critical, ongoing demands of scores of major FS brand partners.

Let us help you augment your security team, reduce risk, and address the requirements of DORA.

Additional Resources

• Digital Operational Resilience Act (DORA) Official Text: For the complete legal text of DORA, refer to the European Union’s official publication. Eur-Lex
• NIST Cybersecurity Framework: The National Institute of Standards and Technology provides a comprehensive framework for improving cybersecurity practices. NIST
• ISO/IEC 27001 Information Security Management: The International Organization for Standardization offers standards for establishing and maintaining information security management systems. Astra
• European Insurance and Occupational Pensions Authority (EIOPA) on DORA: EIOPA provides insights into DORA’s implications for the financial sector. EIOPA
• European Securities and Markets Authority (ESMA) on DORA: ESMA discusses DORA’s impact on financial entities and ICT third-party service providers. ESMA