DORA Resources
Free guides, checklists, and resources to help you navigate DORA compliance and security testing requirements.
Guides & Templates
DORA Compliance Checklist
Comprehensive checklist covering all DORA requirements for financial entities.
TLPT Planning Guide
Step-by-step guide to planning and executing Threat-Led Penetration Testing.
ICT Risk Framework Template
Template for developing your ICT risk management framework under DORA.
Third-Party Risk Assessment
Questionnaire template for assessing ICT third-party providers.
Frequently Asked Questions
When did DORA become mandatory?
DORA became fully applicable on January 17, 2025. All in-scope financial entities must now comply with its requirements.
Who needs to comply with DORA?
DORA applies to virtually all EU-regulated financial entities including banks, investment firms, insurance companies, payment institutions, and their critical ICT service providers.
Is TLPT mandatory for all entities?
No. TLPT is mandatory only for significant financial entities. Smaller entities may have simplified testing requirements, though regular vulnerability assessments are required for all.
How often must TLPT be conducted?
Significant entities must conduct TLPT at least every 3 years. The competent authority may require more frequent testing based on the entity's risk profile.
Can we use internal teams for TLPT?
DORA requires external testers for TLPT in most cases. Internal testers may only be used in exceptional circumstances with explicit supervisory approval.
What are the penalties for non-compliance?
Penalties vary by member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, and remediation orders.
Need Expert Guidance?
Our DORA specialists can answer your specific compliance questions and help you develop a testing strategy.
Contact Our Team