DORA Makes Resilience Testing A Finance Priority

DORA has made resilience testing a central compliance priority for Europe’s financial sector, requiring banks, insurers, investment firms, payment providers and other covered entities to prove that critical ICT systems can withstand disruption. The rule moved from preparation to active supervision after January 17, 2025, with threat-led penetration testing and incident reporting now shaping board-level cybersecurity programs.

Why Does DORA Make Resilience Testing A Financial-Sector Compliance Priority?

DORA makes resilience testing a financial-sector compliance priority because it requires covered firms to test ICT systems, tools and processes as part of their risk management framework. The regulation moves resilience from policy language into documented testing, remediation, reporting and board oversight across the EU’s financial system.

The European Insurance and Occupational Pensions Authority said DORA applies to 20 types of financial entities and ICT third-party service providers. ESMA describes the framework as applying to 21 financial entity types, including 12 under ESMA’s remit. The difference reflects sector-specific counting across ESA pages, not a conflict over the regulation’s core purpose.

The operational reason is clear. Financial firms depend on cloud platforms, trading systems, payment networks, data providers and outsourced ICT services. A cyberattack, outage or technology failure can cross borders quickly when multiple firms use the same providers.

When Did DORA Resilience Testing Move From Proposal To Enforcement?

DORA began when the European Commission adopted its digital finance package on September 24, 2020, including legislative proposals on crypto-assets and digital resilience. The European Parliament later said the proposal aimed to harmonize digital operational requirements so ICT operations could resist cyberattacks and severe disruption.

Regulation (EU) 2022/2554 was adopted on December 14, 2022, published in the Official Journal on December 27, 2022, and entered into force on January 16, 2023. It became applicable on January 17, 2025, after a 2-year implementation period.

The testing framework matured after application. The ESAs published the second batch of DORA policy products on July 17, 2024, including draft rules for threat-led penetration testing. The TLPT regulatory technical standard became applicable on July 8, 2025, setting detailed expectations for scope, testers, methodology, results, closure and remediation.

What Does DORA Require For Digital Operational Resilience Testing?

DORA requires each covered financial entity to maintain a digital operational resilience testing program that fits its risk profile, critical functions and ICT environment. The program must include appropriate tests such as vulnerability assessments, scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, source code reviews, scenario testing, compatibility testing, performance testing, end-to-end testing and penetration testing.

Article 24 sets the general testing requirement. Article 25 lists baseline testing methods for ICT tools and systems. Article 26 requires selected financial entities to perform advanced threat-led penetration testing, known as TLPT, at least every 3 years.

The TLPT standard adds detail for supervisory selection, testing phases, use of internal testers, red-team work, threat intelligence, remediation and mutual recognition across authorities. That makes testing an evidence requirement, not only a technical exercise.

Which Financial Firms Must Prioritize DORA Testing And TLPT?

DORA affects banks, insurers, reinsurers, investment firms, trading venues, central securities depositories, payment institutions, electronic money institutions, crypto-asset service providers, credit rating agencies, data reporting providers and other covered financial entities. Microenterprises receive lighter treatment in parts of the framework, but most covered firms still face resilience testing duties.

Not every covered firm must run TLPT. Article 26 applies advanced testing to financial entities identified by competent authorities based on impact, risk profile, systemic importance and ICT maturity. Those entities must test critical or important functions, including ICT systems and services that support those functions.

ICT third-party providers matter because financial entities must test and document resilience across outsourced services. Cloud, data, cybersecurity and software vendors may face contract demands, evidence requests and direct oversight where the ESAs designate them as critical third-party providers.

How Much Can DORA Regulators Fine Firms For Testing And ICT Failures?

DORA does not set one EU-wide fine table for every financial entity. Article 50 requires member states to create effective, proportionate and dissuasive administrative penalties and remedial measures, which means fines and sanctions vary across national regimes.

For critical ICT third-party service providers, DORA gives Lead Overseers a direct tool. Article 35 allows periodic penalty payments of up to 1% of the provider’s average daily worldwide turnover in the preceding business year for continuing non-compliance, subject to limits in the regulation.

Enforcement risk extends beyond fines. Regulators can demand remediation, request information, conduct investigations, publish measures and pressure financial entities to address weak third-party controls. Public sanctions can create reputational and procurement consequences even when the monetary penalty is lower than the operational damage.

What Practical Steps Should Financial Firms Take For DORA Resilience Testing?

Financial firms should treat DORA resilience testing as a recurring control cycle tied to ICT risk management, not a one-time audit task. The goal is to prove that critical systems can resist, detect, respond to and recover from disruption while showing regulators that weaknesses move into remediation.

1. Map critical or important functions to ICT systems, cloud services, data flows and third-party providers.

2. Create a yearly testing plan that includes vulnerability scans, penetration testing, scenario testing, performance testing and recovery exercises.

3. Determine whether the firm is likely to fall under TLPT selection criteria and prepare threat intelligence and red-team procedures.

4. Record test scope, methods, testers, findings, severity ratings, business owners and remediation deadlines.

5. Link test results to incident response, backup, restoration, business continuity and disaster recovery plans.

6. Update ICT vendor contracts to include testing support, evidence access, incident cooperation and exit planning.

7. Report material issues to management bodies and track closure until remediation is verified.

How Did Regulators And The Financial Sector Respond After DORA Took Effect?

Regulators moved quickly from rulemaking to supervision after DORA applied on January 17, 2025. ENISA said DORA became binding for all financial entities across the EU and described it as a harmonized framework for digital operational resilience and critical third-party ICT oversight.

The first major post-application signal came from third-party oversight. Reuters reported in November 2025 that EU regulators designated 19 technology companies, including Amazon Web Services, Google Cloud and Microsoft, as critical technology providers for the bloc’s finance industry.

The second signal came from incident reporting. On June 3, 2026, the ESAs published their first annual overview of major ICT-related incidents under DORA. The report covered 2025 and showed 3,383 major incidents across EU financial sectors, with around 1/3 having cross-border impact, according to ESA summaries and legal analyses.

What Government And Court Actions Are Connected To DORA Testing?

The main government action is the staged adoption of DORA regulatory and implementing rules. The Commission’s DORA implementing and delegated acts page lists official acts covering ICT risk management, incident classification, incident reporting, TLPT, third-party policies, subcontracting, registers of information and oversight structures.

The TLPT rules are central to the testing story. The EBA says the TLPT regulatory technical standards specify selection criteria, internal tester requirements, test scope, testing methodology, each phase of testing, results, closure, remediation and supervisory cooperation.

No major court judgment directly reshaping DORA resilience testing was found in the official sources and reputable coverage reviewed for this report. Legal disputes remain possible around critical third-party designations, supervisory requests, penalty payments and cross-border coordination.

What Are The Costs And Business Consequences Of DORA Testing?

DORA testing creates operational costs because firms must coordinate security, technology, risk, legal, procurement, business continuity and third-party teams. Costs depend on the number of critical systems, cloud dependencies, test depth, remediation backlog and whether a firm must complete TLPT.

Industry coverage after the compliance date pointed to rising spend and staff pressure. TechRadar cited Rubrik Zero Labs research saying nearly 47% of firms spent more than €1 million on DORA-related work and 58% of CISOs reported increased stress. Those figures came from vendor research, not a regulator, so they should be treated as market sentiment rather than an official cost estimate.

The business consequence is that resilience testing now affects vendor selection, cyber insurance, board reporting and customer confidence. A failed test can expose fragile recovery plans, weak cloud dependencies, missing logs, poor access controls or unclear incident ownership.

What Remains Unresolved About DORA Resilience Testing In 2026?

The main unresolved issue is how consistently national competent authorities will apply DORA testing expectations across member states. The regulation is directly applicable, but supervisory tone, penalty practice, evidence depth and TLPT selection may differ as authorities gain experience.

A second open issue is third-party concentration. The 19 critical ICT provider designations put major technology vendors under EU-level oversight, but financial firms remain responsible for their own ICT risk, contract controls, testing evidence and continuity planning.

A third issue is AI-driven cyber risk. The ESAs said in June 2026 that highly capable AI-driven tools should encourage financial entities to strengthen cybersecurity measures. That warning makes resilience testing more important because attack simulations and recovery exercises must reflect faster, more automated threats.

How Bright Defense Helps Financial Firms Meet DORA Resilience Testing Requirements

Bright Defense supports financial institutions with resilience testing requirements through penetration testing, continuous compliance monitoring, and security assessments. Our services evaluate ICT infrastructure, cloud platforms, third-party risk exposure, and incident response preparedness to help organizations strengthen operational resilience.

Sources Cited In This DORA Resilience Testing Report

1. European Commission — Digital Finance Package (September 24, 2020) https://finance.ec.europa.eu/publications/digital-finance-package_en
2. European Parliament — Digital Operational Resilience Act DORA Briefing (November 2022) https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA(**2022**)**738197**
3. EUR-Lex — Regulation (EU) 2022/2554 On Digital Operational Resilience For The Financial Sector (December 27, 2022) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX: 32022R2554
4. European Insurance And Occupational Pensions Authority — Digital Operational Resilience Act DORA (2026) https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
5. European Securities And Markets Authority — Digital Operational Resilience Act DORA (2026) https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
6. European Commission — Implementing And Delegated Acts, DORA (July 2, 2025) https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en
7. European Banking Authority — Joint Regulatory Technical Standards Specifying Elements Related To Threat-Led Penetration Tests (July 17, 2024) https://eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-regulatory-technical-standards-specifying-elements-related-threat-led-penetration-tests
8. European Banking Authority — Digital Operational Resilience Regulation Interactive Single Rulebook (2026) https://eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/**17716**
9. ENISA — EU Financial Entities Cybersecurity Upgrade: DORA Is Now Alive And Kicking (January 17, 2025) https://www.enisa.europa.eu/news/eu-financial-entities-cybersecurity-upgrade-dora-is-now-alive-and-kicking
10. Reuters Via Yahoo Finance — Amazon, Google Named By EU Among Critical Tech Providers For Finance Industry (November 18, 2025) https://finance.yahoo.com/news/amazon-google-named-eu-among-**172249455**.html
11. European Banking Authority — ESAs Publish The First Report On DORA Major ICT-Related Incidents (June 3, 2026) https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-first-report-dora-major-ict-related-incidents
12. ESAs — 2025 Report On Major ICT-Related Incidents Under DORA (June 2026) https://www.eba.europa.eu/sites/default/files/**2026**-**06**/**29b60c21**-**4ff3**-**4e1e**-**9308**-**7c8225d5cc01**/ESAs%**202025**%**20**report%**20**on%**20**major%**20**ICT-related%**20**incidents.pdf
13. DLA Piper — Application Of The Digital Operational Resilience Act DORA: Key Points (February 2025) https://www.dlapiper.com/insights/publications/**2025**/**02**/application-of-the-digital-operational-resilience-act—dora
14. DLA Piper — DORA Penalty Regimes: Overview Of Divergence Among Member States (October 2025) https://www.dlapiper.com/insights/publications/**2025**/**10**/divergence-in-administrative-penalties-under-dora
15. TechRadar — DORA: Six Months Into A Resilience Revolution (August 19, 2025) https://www.techradar.com/pro/dora-six-months-into-a-resilience-revolution