Digital Operational Resilience Testing Under DORA (2026 Guide)
Your internal audit asks for evidence of “DORA testing,” the CISO points to last year’s penetration test report, and the business continuity team provides tabletop exercise minutes. On paper, that looks like coverage. In practice, supervisors will typically look for something stricter: a coherent, risk-based digital operational resilience testing program that is governed, repeatable, and demonstrably tied to your critical functions, material ICT services, and third-party dependencies.
DORA has applied since January 2025. If your testing is still organized as disconnected activities owned by different teams, you may struggle to show completeness, proportionality, and follow-through. That gap often appears during supervisory engagement or when you need to justify why a specific scenario was not tested, why a key provider was excluded, or how test findings are driving remediation.
This article explains what DORA requires for testing, how to structure the program operationally, how threat-led penetration testing (TLPT) fits in, and what evidence you should be ready to provide. For a broader foundation, see what is digital resilience.
Table of Contents
What DORA means by “digital operational resilience testing”
DORA frames testing as a core mechanism to validate that your ICT risk management framework and resilience measures work under stress, not only that they exist as policies. The intent is operational: can you withstand, respond to, and recover from ICT disruptions while maintaining critical or important functions.
Now, when it comes to terminology, DORA does not treat testing as synonymous with penetration testing. Digital operational resilience testing is a broader family of activities that can include scenario-based exercises, technical validation, control testing, resilience testing of systems and processes, and (for certain entities) TLPT.
Think of it this way: testing is how you move from “we have controls” to “we can show controls perform, weaknesses are tracked, and resilience is improving.” This aligns with the broader concept described in what is digital operational resilience act and how institutions operationalize the digital operational resilience act in day-to-day governance.
Testing also acts as a bridge between DORA pillars. The reality is that testing results tend to expose gaps in ICT third-party oversight, incident response readiness, and operational continuity planning, even when individual teams believe they are “compliant.”
Governance and proportionality: what supervisors expect you to prove
DORA’s testing obligations are not only technical. They are governance-driven. Supervisors, through national competent authorities and the ESA framework (EBA, ESMA, EIOPA), will typically expect clarity on who owns the testing program, how it is approved, and how results are escalated and remediated.
From an operational standpoint, a defensible testing program usually includes:
Proportionality is not a free pass. Smaller or less complex entities may run a lighter program, but you still need to show a rational basis for test selection, frequency, and depth. What many compliance teams overlook is that proportionality arguments can fail if you cannot show a credible inventory of ICT assets, services, and third-party dependencies that underpin your critical functions.
If your organization is still aligning the program structure, it helps to start from your internal “testing framework” logic and tie it back to DORA obligations. The companion piece digital resilience testing framework can be a useful reference point for structuring that mapping.
Designing a risk-based testing program that maps to critical functions
A mature digital operational resilience testing program starts with a clear “what must be resilient” view, then determines “how to test it.” Many institutions invert this by starting with a list of tests they already run and attempting to label them DORA-compliant. That approach often produces gaps in coverage and weak audit narratives.
Step 1: Define the scope you will test, using DORA language
In practice, your test scope should align to critical or important functions, material business services, and the ICT assets and services that support them. You should be able to explain how the test scope aligns to your ICT risk profile, including cyber threats, operational failures, and third-party outages.
Consider this scenario from a mid-sized investment firm: the “client trading platform availability” function is critical, but core components are delivered through a SaaS provider and a managed database service. A test plan that focuses only on internal network controls may miss the highest-impact failure modes, such as provider-side identity compromise or misconfiguration leading to prolonged outage.
Step 2: Use risk to select test types and frequency
Once scope is defined, you choose techniques proportionate to risk and complexity. Higher criticality services typically justify more frequent or deeper testing, including technical exercises and scenario tests that involve business owners, IT operations, security, and vendor management.
Here’s the thing: testing frequency should be justified by a risk narrative, not only a calendar. For example, major architectural changes, migrations, provider substitutions, or concentration risk signals may trigger ad hoc testing even if the annual plan is “on track.”
If you are building the broader program narrative, dora digital resilience testing provides additional context on how many organizations align testing to the DORA implementation program.
Testing techniques, scope boundaries, and typical artifacts
DORA expects a mix of tests that validate both technology and operational capability. Your goal is not to run every possible test type. Your goal is to demonstrate that the selected suite of tests is sufficient to validate resilience for your specific risk profile.
Common test families that institutions use to evidence DORA alignment include:
Scope boundaries should be explicit. If you exclude specific assets, environments, or providers, you should document why, the residual risk, and compensating measures. Supervisors and internal audit will often challenge “out of scope” statements if they relate to critical functions or systemic dependencies.
Artifacts matter. You should typically expect to maintain:
A dedicated DORA compliance platform can help with evidence consistency, task ownership, and audit trails across these artifacts. Dorapp positions DORApp as a cloud-based platform to manage and evidence DORA processes in an auditable way, including structured workflows, approvals, and records. If you want to understand their approach at a high level, you can explore the platform at dorapp.eu.
Testing frequency and minimum expectations: how often, how deep, and what drives change
Testing is not only about which techniques you use. Supervisors will typically challenge whether the cadence is credible for your risk profile, and whether you can justify both routine testing and change-driven testing. Under the digital operational resilience testing pillar, financial entities are expected to establish, maintain, and review a testing program as part of the ICT Risk Management Framework, subject to proportionality and supervisory expectations under the ESA framework (EBA, ESMA, EIOPA).
Competitor guidance often emphasizes a simple message that is directionally correct under DORA: vulnerability scanning alone is not sufficient, and penetration testing alone is rarely sufficient. What the regulation actually requires is a risk-based mix of tests that you can defend as appropriate for your critical or important functions, threat exposure, and architecture, including third-party dependencies.
What “at least annual” tends to mean in practice
Many institutions operationalize a baseline expectation that critical systems and services are tested at least annually through a combination of technical and operational exercises. The exact composition can vary by entity type and risk profile, but you typically want a defensible rationale that covers:
Consider this: a critical customer-facing service that depends on a cloud identity plane and a small number of privileged support paths may justify more frequent control validation around identity, logging, and recovery, even if other internal systems remain on an annual cadence.
What typically triggers out-of-cycle testing
Here’s the thing: supervisors usually do not expect you to wait for next year’s plan if your risk profile has materially changed. In most institutions, out-of-cycle testing triggers are tied to events such as:
From a practical standpoint, documenting these triggers as part of your testing governance makes it easier to show that your program is not a static calendar exercise. It also helps explain why certain tests occurred outside the annual plan and how the decision was approved.
This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified legal or regulatory counsel for institution-specific DORA compliance guidance.
TLPT under DORA Article 26: when it applies and how to prepare
DORA Article 26 introduces threat-led penetration testing (TLPT) as the most advanced form of resilience testing, intended to simulate realistic adversarial tactics against critical functions. TLPT is not automatically required for every DORA-regulated entity. Competent authorities typically determine the scope of entities in line with the regulatory framework and proportionality considerations.
If TLPT may apply to you, preparation usually requires more than booking an external test team. The operational lift tends to come from governance, scoping, and cross-functional coordination, especially where critical functions depend on ICT third-party providers.
What a TLPT-ready posture typically includes
Where institutions commonly underestimate the effort
The most frequent friction point is third-party involvement. If your cloud or managed service provider restrictions prevent meaningful testing, you will need a defensible alternative, such as evidence from provider assurance reports, joint testing, or scoped validation that still demonstrates resilience. This is rarely a purely technical question. It often sits at the intersection of procurement, legal, risk, and security governance.
Aligning testing with incident reporting and lessons learned under DORA
Testing is one side of the “prove it works” expectation. Incident handling and incident reporting are the other. Under DORA’s incident management and reporting pillar, financial entities must manage ICT-related incidents and report major ICT-related incidents to competent authorities. DORA also provides for voluntary notification of significant cyber threats. The practical implication is straightforward: your testing program should be informed by real incidents and near-misses, and your incident processes should be tested, not assumed.
What many compliance teams overlook is the feedback loop: if you experience an incident that exposes a weakness in detection, containment, recovery, or external communications, supervisors may reasonably expect that to translate into updated scenarios, deeper technical validation, and evidence of remediation and retesting. That expectation tends to be reinforced when similar issues reappear across multiple incidents or testing cycles.
How to use incident data to strengthen your testing narrative
In most institutions, you can improve defensibility by explicitly connecting incident evidence to testing decisions. Examples include:
Testing your ability to classify and escalate under pressure
Even where classification thresholds and reporting timelines are standardized through RTS and ITS developed by the ESAs, the operational challenge is local: can you gather the right facts fast enough, ensure consistent classification, and produce defensible reporting outputs with appropriate approvals. A targeted exercise can test this without waiting for a real incident. For example, a scenario can require teams to decide whether an event meets “major ICT-related incident” criteria based on impact, duration, client effects, and service criticality, then validate internal governance for approval and submission.
Think of it this way: if your testing program never touches incident classification and reporting workflow readiness, you may be able to show technical testing, but you may struggle to show end-to-end operational resilience as DORA expects.
This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified legal or regulatory counsel for institution-specific DORA compliance guidance.
Including ICT third parties and concentration risk in your testing approach
DORA’s third-party expectations and its testing expectations reinforce each other. If your testing program ignores the providers that underpin critical functions, your coverage argument becomes difficult to sustain.
In practice, you should be able to show how third-party dependencies are incorporated into testing through one or more of the following approaches:
Concentration risk is the other blind spot. Many compliance teams can list vendors, but cannot quantify how a single provider outage could cascade across multiple business lines or entities. Testing provides a practical mechanism to validate concentration risk assumptions through scenario design, service continuity tests, and dependency stress cases.
If your third-party governance is still being operationalized, tools like DORApp’s Third Party Risk Management and Questionnaire Automation (TPRM) module are positioned to help collect structured information from providers, apply review workflows, and support concentration risk analysis in a repeatable way, subject to your internal methodology and oversight needs.
Evidence and audit readiness: making outcomes defensible
Under supervisory scrutiny, “we tested” is not sufficient. You need to demonstrate that you tested the right things, that the test quality was controlled, and that you acted on results. Evidence quality often becomes the differentiator between a program that looks compliant and one that is defensible.
What many compliance teams overlook is the decision layer around testing. You should typically maintain a clear record of:
If those decisions happen in email threads, evidence becomes fragmented. Dorapp describes an “Execution Governance Engine” concept in DORApp to enforce controlled workflows with review gates and sign-off, plus audit trail records of approvals and transitions. For teams aiming to reduce manual coordination risk, that workflow discipline can help, but you still need a sound testing methodology and clear ownership model.
Common implementation failures and practical corrections
DORA testing programs tend to fail in predictable ways, especially where institutions treat testing as a one-off compliance deliverable rather than an ongoing operating model.
Failure mode 1: Treating the annual pen test as “DORA testing”
A penetration test is useful, but it usually tests a narrow slice of resilience. Corrective action: create a test portfolio that includes technology, process, and people. Link it to critical functions and define what “pass” means for recovery and continuity outcomes, not only vulnerability counts.
Failure mode 2: Testing does not reflect your real architecture and providers
Testing often targets internal systems while the actual failure modes sit in cloud identity, CI/CD pipelines, SaaS dependencies, or provider support processes. Corrective action: update dependency maps, then design scenarios around realistic disruption points.
Failure mode 3: Findings are logged but not governed
Supervisors will typically focus on remediation: prioritization, ownership, deadlines, and retesting. Corrective action: implement a formal findings lifecycle with management oversight and a clear retest policy for high-impact gaps.
Failure mode 4: Inconsistent evidence and weak audit trail
If artifacts are scattered across shared drives, ticketing, and spreadsheets, your ability to demonstrate control deteriorates quickly. Corrective action: define a minimum evidence pack per test type and require consistent approvals and closure criteria.
To ensure your program narrative is coherent, it helps to align your testing approach with your overarching DORA interpretation, including definitions and scope boundaries. The related explainer what is digital resilience can help align internal stakeholders on the core concept you are trying to prove through testing.
Key Takeaways
Conclusion
DORA has shifted resilience testing from an IT security activity into a regulated operating discipline. If you want your testing program to withstand supervisory challenge, you need a documented and approved testing plan, coverage tied to critical functions and material dependencies, and a clear lifecycle from results to remediation and retesting. The practical work is cross-functional: risk, security, IT operations, business owners, procurement, and legal typically need to agree on scope, provider involvement, and acceptable residual risk.
A consistent evidence model and clear decision records will often determine whether your program looks mature or ad hoc. If you are evaluating ways to improve traceability and workflow control, you can explore how Dorapp structures DORA governance and evidence in DORApp at dorapp.eu, then benchmark that approach against your internal tooling and supervisory expectations.
Over time, institutions that treat testing as an ongoing cycle, not an annual event, are better positioned to demonstrate continuous improvement in digital operational resilience.
Regulatory Disclaimer: This article is provided for informational and educational purposes only. It does not constitute legal advice and should not be relied upon as a substitute for qualified legal or regulatory counsel. DORA compliance obligations vary depending on the nature, scale, and risk profile of each financial entity. Always consult with a qualified legal advisor or compliance professional regarding your specific obligations under the Digital Operational Resilience Act and applicable Regulatory Technical Standards. DORA interpretation and supervisory expectations may evolve as the European Supervisory Authorities (EBA, ESMA, EIOPA) and national competent authorities publish additional guidance. This content reflects available information at the time of publication and should be verified against current ESA publications. DORA applies to EU-regulated financial entities as defined under Regulation EU 2022/2554.
Frequently Asked Questions
How is digital operational resilience testing different from standard cybersecurity testing?
Digital operational resilience testing covers cybersecurity, but extends to operational continuity and recovery capability for ICT-supported services. Under DORA, supervisors typically expect testing to validate end-to-end resilience outcomes for critical or important functions, including people and process readiness, not only technical vulnerabilities. That often includes scenario exercises, failover and recovery tests, incident response drills, and control validation. A penetration test report can be one input, but it rarely demonstrates that your organization can maintain service within acceptable tolerance during disruption.
Which DORA articles are most relevant for testing programs?
DORA’s testing obligations sit primarily in the testing pillar, with TLPT addressed explicitly in DORA Article 26. Your testing program also interacts with other parts of the regulation, including governance and ICT risk management requirements that define what you should test and how you manage findings. In practice, your ability to demonstrate testing maturity depends on the strength of your underlying ICT risk management framework, your service and dependency inventories, and your remediation governance. For broader regulatory context, see digital operational resilience act.
Do all DORA-regulated entities need to perform TLPT?
No. TLPT under DORA Article 26 is intended for certain financial entities, typically based on criteria set and applied through competent authority processes and proportionality considerations. If TLPT does not apply, you still need a robust testing program using other techniques that are proportionate to your risk profile. If TLPT may apply, preparation often requires early work on scope definition, provider involvement, rules of engagement, and governance for remediation and retesting.
How should you decide what to include in your annual testing plan?
A defensible plan usually starts with critical or important functions and maps them to supporting ICT assets, services, and third-party dependencies. You then select test types based on realistic disruption scenarios and your risk assessment. Many institutions also add change-driven triggers, such as major migrations, supplier changes, or new concentration risk signals, to justify out-of-cycle tests. A structured planning approach is often described as a digital resilience testing framework, which helps you explain why coverage is sufficient.
What evidence should you keep to demonstrate DORA testing compliance?
You typically need evidence of governance and execution, not only results. That can include the approved testing plan, scope and limitation rationales, test scripts or scenario narratives, attendance and exercise records, technical outputs where applicable, findings logs with severity rationale, remediation plans with deadlines and owners, and proof of closure or retesting. Supervisors may also challenge how you made scoping decisions, so decision records and approvals become important artifacts, especially for exclusions involving critical functions.
How do you incorporate ICT third-party providers into resilience testing?
Incorporation can range from joint tabletop exercises, to validation of escalation and communications paths, to assurance mapping using provider reports, to technical testing that is contractually permitted. The key is to show that your testing reflects real dependencies and that exclusions are justified. If a provider limits test access, you may need compensating evidence and documented residual risk acceptance. This is often where procurement and legal engagement becomes essential, especially for cloud services supporting critical functions.
How does DORA testing relate to the concept of digital resilience?
Testing is one of the main ways you demonstrate that “digital resilience” exists in practice, not only in policy. Resilience is about the ability to resist, respond, and recover while maintaining critical functions. Testing provides observable outcomes and measurable gaps that you can track over time. If your teams use inconsistent definitions, alignment can be difficult. It can help to standardize language internally using references such as what is digital resilience or the pillar context in what is digital resilience.
What are common supervisory red flags in resilience testing programs?
Common red flags include: testing that is not linked to critical functions, unclear scope boundaries, reliance on a single annual test type, weak evidence packs, and findings that do not translate into tracked remediation. Supervisors may also question whether third-party dependencies were meaningfully considered, particularly where a small number of providers support multiple critical functions. If your testing narrative is still forming, aligning it to DORA-specific expectations can be easier if you review dedicated guidance like dora digital resilience testing.
Can a tool help with DORA testing compliance, or is it mostly process?
It is fundamentally process and governance, but tooling can reduce operational friction and improve evidence consistency. For example, workflow controls, approval gates, task assignment, and audit trail features can help ensure tests are planned, executed, reviewed, and closed in a repeatable way. Dorapp describes DORApp as a modular platform designed to evidence DORA processes with traceable workflows and audit-ready records. Whether you use a dedicated platform or internal tooling, you still need a clear methodology and accountable ownership model.
What are the “five pillars” of DORA, and where does testing sit?
DORA is commonly operationalized into five core areas: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information-sharing arrangements. Testing is the pillar that validates whether the controls and processes defined under the other pillars actually perform in realistic conditions. In supervisory conversations, testing evidence often becomes the practical “proof layer” that connects policy requirements to observed outcomes.
How often does DORA require penetration testing?
DORA does not reduce testing to a single mandated penetration testing cadence for every entity. In most cases, you are expected to define a risk-based testing program that includes appropriate technical testing for critical systems, which may include penetration testing. For certain entities, competent authorities may require advanced testing through TLPT under DORA Article 26, which is generally understood as periodic rather than annual. The right cadence for your institution depends on proportionality, risk profile, and supervisory expectations, and should be documented and approved as part of your program governance.
Is vulnerability scanning enough to meet DORA testing expectations?
Typically not. Vulnerability scanning can be a useful control validation input, but it generally only identifies known issues in a defined scope. DORA’s testing expectation is broader: can you evidence resilience outcomes for critical or important functions, including response and recovery. That often requires a portfolio that includes scenario exercises, technical testing such as penetration testing where appropriate, and operational recovery validation. You should be prepared to explain why your chosen mix is sufficient for your threat and dependency profile.
What should you do with test findings to satisfy supervisory expectations?
Supervisors will typically focus on whether findings lead to measurable improvement. In practice, that means documenting severity rationale, assigning accountable owners, setting deadlines, tracking remediation to closure, and retesting material issues. Where remediation is deferred, you generally need a defensible residual risk acceptance decision that is approved at the right level of governance, subject to your internal risk appetite and supervisory expectations.
About the Author
Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.