Compliance Guide

DORA Penetration Testing That Satisfies Your Supervisory Authority

DORA's threat-led penetration testing requirement is a higher bar than most financial entities realize. Sprocket delivers the adversarial testing, purple team validation, and supervisory-ready documentation your TLPT obligation demands.

Request a DORA TLPT Scoping Call

Article 26

Requires threat-led penetration testing for significant EU financial entities

Every 3 years

Minimum TLPT cadence with ongoing ICT testing obligations between cycles under Article 25

87%

Of financial entities tested by Sprocket had a critical finding on their first DORA-scoped engagement

The Requirement

What DORA Actually Requires

DORA is explicit: a point-in-time exercise won't satisfy a supervisory authority reviewing your Digital Operational Resilience Testing program. Article 26 sets the standard and it's more demanding than most financial entities have prepared for.

REQUIREMENT	WHAT IT MEANS IN PRACTICE	HOW SPROCKET SATISFIES THE REQUIREMENT
Article 26	Conduct intelligence-driven red team testing against live production systems at least every three years, following a defined three-phase structure - threat intelligence, red team execution, purple team validation - under supervisory authority oversight.	Sprocket works alongside your threat intelligence provider through all three TIBER-EU phases, with every phase documented to the standard a competent authority expects to review.
TLPT	Where standard penetration testing validates known attack paths, TLPT simulates a specific adversary, defined by threat intelligence, executing against your live production environment while supervisory authorities oversee the scope and outcomes.	Scenarios are defined by your threat intelligence provider, execution targets your production environment, and your supervisory authority gets evidence of a genuine adversarial exercise, not a scheduled scan with a red team label.
Article 25	Maintain an ongoing Digital Operational Resilience Testing program independent of whether they're subject to TLPT.	Sprocket's continuous testing program keeps your Article 25 Digital Operational Resilience Testing obligation active across the full three-year cycle.
Article 28-30	Your resilience obligations extend to your ICT supply chain, vendor integrations, third-party access paths, and critical provider dependencies are in scope, not just your own infrastructure.	Sprocket's continuous external attack surface management surfaces vendor integrations and supply chain exposure ongoing, with targeted testing of critical ICT dependencies that maps directly to your third-party risk register.

Why Continuous Testing

Why Continuous Testing Matters Between TLPT Cycles

Attack surface doesn't pause

Continuous external attack surface monitoring ensures environment changes don't create unvalidated exposure that your next threat intelligence provider has to discover from scratch.

Supervisory expectations run on a shorter cycle

Article 25 requires an ongoing testing program, and continuous testing gives your compliance team evidence of active resilience management that holds up to supervisory review at any point.

Detection gaps reopen

Continuous testing validates that SOC improvements identified during purple team exercises have actually held, and surfaces new gaps before they become material.

Third-party risk

Ongoing monitoring of vendor integrations and internet-exposed dependencies is the only way to maintain supply chain visibility between formal third-party assessments under Articles 28–30.

Evidence record

The evidence record should precede the supervisory review, not follow it. Continuous penetration testing provides timestamped record of findings, remediation, and retesting from day one, so you're never reconstructing history when your competent authority asks for it.

What we find

Common DORA Findings Sprocket Surfaces

critical

VPN/Edge Device Exploitation

Internet-facing VPN appliances and security gateways running unpatched firmware are exploited via known or zero-day vulnerabilities to achieve pre-authentication remote code execution. Three of the four most exploited vulnerabilities in 2024 were zero-days in security products from these vendors.

high

Third-Party Fintech Integration with Excessive OAuth Scope and No Token Rotation

Open banking and embedded finance integrations with third-party providers are authorized with OAuth tokens granting read/write access to account data, transaction initiation, and customer PII. Tokens are long-lived (no rotation policy), stored in plaintext in application configuration files, and scoped far beyond the minimum permissions required for the integration's stated function.

FAQ

DORA Penetration Testing — Frequently Asked Questions

Does DORA apply to our organization?

DORA applies to most EU financial entities. The TLPT requirement under Article 26 applies specifically to entities designated as significant by their competent authority. All in-scope entities have baseline ICT testing obligations under Article 25 regardless of designation. If you're uncertain, your national competent authority or legal team is the right starting point.

What is TIBER-EU and how does it relate to DORA?

TIBER-EU is the ECB-developed framework DORA uses as its model for TLPT. It defines the three-phase structure of intelligence, red team execution, and purple team validation. If your organization has previously conducted a TIBER exercise, supervisory authorities will assess whether it meets current DORA requirements before crediting it.

Can we use our existing annual penetration test to satisfy DORA?

In most cases, no. Standard pentests don't involve threat intelligence-driven scoping, live production testing, or purple team exercises. A strong continuous testing program does satisfy Article 25's baseline obligation.

What is a purple team exercise and why does DORA require it?

A purple team exercise replays red team techniques with your SOC present to evaluate whether your team would have detected and responded to them. DORA requires it because operational resilience means detecting and containing attacks, not just preventing them.

What role does threat intelligence play in TLPT scoping?

A qualified threat intelligence provider must define the threat landscape targeting your organization before red team execution begins. This is why TLPT cannot be scoped by the financial entity or tester alone.

How does DORA interact with our ICT third-party provider obligations?

Articles 28 - 30 require your resilience program to account for vendor integrations and critical ICT dependencies, not just your own infrastructure.

Other Frameworks Sprocket Supports

OTHER FRAMEWORKS SPROCKET SECURITY SUPPORTS

FFIEC / NCUA Penetration Testing Requirements and How Sprocket Security Satisfies Them ISO 27001 Penetration Testing Requirements and How Sprocket Security Satisfies Them NIST CSF Penetration Testing Requirements and How Sprocket Security Satisfies Them PCI-DSS Penetration Testing Requirements and How Sprocket Security Satisfies Them SOX Penetration Testing Requirements and How Sprocket Security Satisfies Them SWIFT CSP Penetration Testing Requirements and How Sprocket Security Satisfies Them