DORA Compliance FAQ

Question 1

What is DORA (Digital Operational Resilience Act)?

Accepted Answer

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Question 2

Who must comply with DORA?

Accepted Answer

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

Question 3

What is TLPT (Threat-Led Penetration Testing)?

Accepted Answer

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Question 4

Is TLPT mandatory for all financial entities?

Accepted Answer

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

Question 5

What are the penalties for DORA non-compliance?

Accepted Answer

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

Question 6

What is the TIBER-EU framework?

Accepted Answer

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Criteria	TLPT	Red Team	Vuln Assessment	ICT Risk
DORA Required	Significant	Optional	All	All
Duration	16-26 weeks	4-12 weeks	1-4 weeks	2-6 weeks
Threat Intelligence
Investment Level	€€€€	€€€	€€	€€

Security Testing
Services

TLPT (Threat-Led Penetration Testing)

Vulnerability Assessment

Red Team Operations

ICT Risk Assessment

Which Service Do You Need?

Not Sure Which Service Is Right?

Security TestingServices