DORA Penetration Testing Requirements for Investment Firms
Investment firms and asset managers are critical nodes in the European financial system. DORA requires these entities to move beyond basic vulnerability scanning and implement intelligence-led, live-environment penetration testing to secure trading algorithms, client data, and market access points.
Article 26 Requirements
Article 26 dictates that significant investment firms must undergo TLPT at least once every 3 years. The scope must cover the underlying ICT systems supporting critical functions. For asset managers, this directly impacts portfolio management systems, algorithmic trading platforms, and the APIs connecting them to liquidity providers.
TIBER-EU Framework Application
Testing must follow the TIBER-EU framework or equivalent national frameworks (like TIBER-DE or CBEST). Investment firms must engage Threat Intelligence Providers (TIPs) to map specific threat actors targeting the European asset management sector, followed by Red Team Providers (RTPs) who will execute covert attacks against live infrastructure without prior warning to the blue team.
Exemptions & Significance Thresholds
Investment firms classified as small and non-interconnected (SNIs) under the IFR/IFD framework may be exempt from the advanced TLPT requirements, depending on the final ESA Regulatory Technical Standards (RTS). However, Tier 1 and Tier 2 investment firms with significant AUM and cross-border operations will undoubtedly fall into the mandatory testing cohort.
Request a TLPT Consultation
Speak with a DORA-specialist about your Article 26 obligations and get a scoped proposal.