DORA Compliance FAQ

Question 1

What is DORA (Digital Operational Resilience Act)?

Accepted Answer

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Question 2

Who must comply with DORA?

Accepted Answer

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

Question 3

What is TLPT (Threat-Led Penetration Testing)?

Accepted Answer

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Question 4

Is TLPT mandatory for all financial entities?

Accepted Answer

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

Question 5

What are the penalties for DORA non-compliance?

Accepted Answer

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

Question 6

What is the TIBER-EU framework?

Accepted Answer

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Aspect	Standard	TLPT
Duration	1-4 weeks	16-26 weeks
Threat Intel	Limited	Comprehensive
Scope	Defined assets	Critical functions
Blue Team	Often aware	Unaware

Threat-Led
Penetration Testing

Mandatory for Significant Entities

What is TLPT?

TLPT vs Standard Pentesting

Key TLPT Characteristics

TLPT Process

Preparation

Testing

Closure

TLPT Tester Requirements

Independence

Certification

Insurance

Experience

Request TLPT Consultation

Threat-LedPenetration Testing