Hacking by regulation: threat-led penetration testing under DORA

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) establishes a European legal framework applicable to ICT systems and ICT services of regulated financial and insurance companies – which in practice are often outsourced to third-party ICT service providers – with the aim to strengthen the cyber-resilience of these companies. The DORA came into force on 16 January 2023 and has been applicable since 17 January 2025 (see our Insights features, The Digital Operational Resilience Act (DORA) and its Significance for the Financial Sector and When IT Service Providers are subject to financial Oversight: An Overview of the DORA Supervisory Framework).

As the increasing use of ICT systems and ICT services entails operational risks such as system malfunctions or failures due to dependence on third-party ICT service providers and cyber-attacks, it is one of the purposes of DORA to strengthen the digital operational resilience of the financial sector. In order to increase their resilience, financial entities falling within the scope of DORA are required by the provisions in Chapter IV (Articles 24 to 27) of DORA to regularly test their digital operational resilience through testing programmes and to regularly assess their ICT systems and ICT services – specifically through threat-led penetration testing (TLPT).

According to the requirements of Articles 24 and 25 of DORA, financial entities must ensure that all ICT systems and applications that support critical or important functions are tested at least once a year using testing programmes that are not exhaustively listed in regulation. Examples include investigations into loopholes and vulnerabilities in software solutions, into the underlying source code, into the network security and physical security, as well as scenario-based tests.

A paradigm shift is the introduction of the obligation to carry out TLPT in accordance with Articles 26 and 27 of DORA which previously was voluntary under the Bundesbank’s TIBER-DE testing framework. Under DORA, financial companies selected by the competent supervisory authorities must now subject their live-production systems, which must also include those ICT services that support critical functions which have been outsourced to third-party ICT service providers (often data centre or cloud service providers), to TLPT at least every three years. As part of TLPT, a red team consisting of white hat hackers carries out realistic attacks planned and coordinated by a control team consisting of employees of the financial entity and, if necessary, the affected third-party ICT service provider, to test the digital operational resilience of the financial entity’s ICT systems and ICT infrastructure based on current threat information. The departments responsible for IT security within the financial entity, known as the blue team, will not be informed about the attacks. Financial companies and, especially, third-party ICT service providers, have mainly shown reluctance or outright refusal towards conducting TLPT under the TIBER-DE testing framework due to reputational risks and potential disruption to business operations.

Since DORA applies, TLPT is no longer voluntary. To ensure the participation of financial entities’ third-party ICT service providers in TLPT, Article 30(3)(d) of DORA stipulates that financial entities must contractually obligate their third-party ICT service providers in outsourcing agreements to participate and fully cooperate in the financial entity’s TLPT in accordance with Articles 26 and 27 of DORA and the Delegated Regulation (EU) 2025/1190 (DR TLPT) published on 18 June 2025 based on Article 26(11) of DORA containing detailed and binding rules on the scope of testing, the selection of testers, the testing methodology and the testing strategy for each phase of the testing procedure. DORA places the responsibility for the compliant implementation of the TLPT exclusively on the financial entities (Article 26(3) and (8) DORA and Article 4 et seq. of DR TLPT).

The room for contractual negotiation of the parties involved in the TLPT will in the future therefore have to take the statutory DORA requirements into account. The attitude frequently encountered in practice, that third-party ICT service providers do not permit threat-led penetration tests or only permit them to a very limited extent on their own terms, will no longer be tenable due to the introduced DORA requirements. This applies all the more given that pursuant to section 56 (5e) (3) of the German Banking Act (Kreditwesengesetz – KWG), which was newly introduced by the national legislature in connection with the applicability of DORA, financial entities face heavy fines if, contrary to the first sentence of Article 26(1) of DORA, a test has not been carried out or has been carried out incorrectly, incompletely or not in a timely manner.

In summary, the stricter requirements under DORA are leading to a fundamental change in IT penetration testing practices in the financial sector. Affected financial entities and third-party ICT service providers are well advised to clearly align any necessary contractual provisions to the DORA requirements and to strictly monitor their compliant implementation. After all, hacking is now mandatory under the DORA regulation.