DORA Compliance FAQ

Question 1

What is DORA (Digital Operational Resilience Act)?

Accepted Answer

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Question 2

Who must comply with DORA?

Accepted Answer

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

Question 3

What is TLPT (Threat-Led Penetration Testing)?

Accepted Answer

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Question 4

Is TLPT mandatory for all financial entities?

Accepted Answer

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

Question 5

What are the penalties for DORA non-compliance?

Accepted Answer

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

Question 6

What is the TIBER-EU framework?

Accepted Answer

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Threat-Led Penetration Testing
for EU Financial Entities

TLPT Requirements by Entity Type

Threat-Led Penetration Testing for Crypto-Asset Service Providers

DORA Penetration Testing Requirements for Investment Firms

What Makes TLPT Different?

Intelligence-Led

Live Production

Supervisory Reporting

Threat-Led Penetration Testingfor EU Financial Entities