The EU regulation Digital Operational Resilience Act (DORA) makes cybersecurity a matter of proven resilience. The goal is to raise the level of digital security across the entire financial sector.
The Digital Operational Resilience Act (DORA) entered into force on 17 January 2025. Its purpose is to strengthen digital operational resilience in the financial sector and ensure that banks, insurance companies, fintech firms, and their suppliers can withstand and recover from cyberattacks.
Security Must Be Proven
To achieve the objective of increased digital operational resilience, DORA consists of five chapters that together describe how cybersecurity work must be conducted.
- Chapter 1: Risk management – requirements for governance, processes, and responsibilities
- Chapter 2: Incident reporting – how and when cyber incidents must be reported
- Chapter 3: Operational continuity – plans to restore operations quickly
- Chapter 4: Digital operational resilience testing – practical testing of how systems withstand attacks
- Chapter 5: Third-party risk – requirements to manage and control suppliers’ cybersecurity
Chapter 4 is one of the most extensive parts and describes how financial entities must verify their digital operational resilience through practical testing. Previously, security reviews often focused on checking procedures and documentation, but now organizations must be able to demonstrate that their protections hold up against real-world attacks.
“Testing is a major part of DORA, because it shows whether security measures actually work in practice,” says Benjamin Svensson, senior security specialist at Assured. He works with security testing across web, infrastructure, and cloud environments, as well as more specialized domains such as industrial networks and vehicle systems.
Threat-led Penetration Testing (TLPT)
DORA distinguishes between two levels of testing: basic testing and advanced testing. Basic testing includes, for example, traditional penetration testing, where vulnerabilities in systems and processes are identified and remediated. This often involves technical weaknesses in software, infrastructure, or cloud environments that could be exploited by an attacker.
Advanced testing, known as threat-led penetration testing (TLPT), goes further.
“The purpose of TLPT is not only to find vulnerabilities, but to assess how well an organization can detect, stop, and recover from a cyberattack,” says Benjamin.
TLPT requires a realistic, threat-driven approach and is based on threat intelligence—data on how real threat actors operate against banks, insurance companies, and fintech organizations. Based on this intelligence, realistic attack scenarios are developed and tested in practice.
These tests are carried out as so-called red team exercises. In these scenarios, the red team acts as the attacker, while a blue team is responsible for detecting and stopping the attack. In some organizations, purple team exercises are used, where attackers and defenders collaborate to strengthen the organization’s ability to detect attacks, respond effectively, and learn from the exercise.
DORA refers to the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), developed by the European Central Bank. The framework describes how red team exercises should be planned, executed, and evaluated, as well as the requirements placed on both testers and service providers.
Requirements for the Testers
DORA also sets requirements for the testers themselves. According to the regulation, they must be “best suited” and have a “high level of reputation” within their field.
“These are rather vague formulations, but the intention is that those performing the tests should be experienced and have a strong professional reputation. How this will be assessed in practice remains to be seen,” says Benjamin.
In Sweden, the Riksbank has overall responsibility for the implementation of DORA, while the Financial Supervisory Authority monitors and ensures that organizations comply with the requirements.
Through TLPT, organizations gain a clear picture of their actual strengths and weaknesses—not only in their systems, but also in their procedures for detecting, handling, and recovering from attacks. The tests also cover the ability to recreate or restore what has been lost, encrypted, or damaged—what is referred to in English as recover. The results provide an important basis for prioritizing further security improvements.
How Cybersecurity Work Is Changing
With DORA, testing becomes an integrated part of risk management rather than a standalone technical activity. The regulation requires all financial entities, with the exception of the very smallest, to have a structured testing program as part of their cybersecurity efforts.
For many established banks, this is already well established. For smaller players, such as fintech companies and payment service providers, it may instead involve new processes, investments, and the need for skills development. At the same time, DORA creates a common language for cybersecurity within the financial sector, which in the long term can strengthen trust between organizations and their suppliers.
According to Benjamin, DORA may also serve as a useful reference for other industries seeking to strengthen their approach to security and testing.
How Organizations Can Prepare
Meeting DORA requirements demands both structure and continuity. Organizations need to identify their most critical systems, decide which types of tests should be performed, and document results and remediation actions.
“The most important thing is to have a plan and to start early. DORA is not about being ‘done’, but about building a process of continuous improvement,” says Benjamin.
Need Support With Your DORA Work?
Assured helps financial organizations map their risks, carry out the right types of testing, and establish the processes required under DORA.
Read more about how we can help hereGet in touch to discuss how we can support your DORA and fintech security journey.