← All articles
CompliancePentesting

DORA Penetration Testing Requirements 2026

DORA mandates resilience testing (Art. 24–25) for nearly all financial entities, plus advanced TLPT (Art. 26) for those the authority names.

Jamin Mahmood-Wiebe · Published · 9 min read

Engraving-style illustration for DORA Penetration Testing Requirements 2026

DORA does not name a single "penetration test" as a blanket obligation. It sets up two tiers. Under Art. 24–25, nearly every financial entity except microenterprises must run a resilience testing programme that explicitly includes penetration testing. Under Art. 26, a subset that competent authorities name must run advanced Threat-Led Penetration Testing (TLPT) at least every three years. DeepMantis covers the recurring Art. 25 baseline: autonomous web and API testing that exploits and proves each finding, from €890. TLPT is a different, narrower obligation, a threat-intelligence-led red-team exercise scoped to a subset of entities, and we draw that line plainly below.

Does DORA require penetration testing?

Yes, but the requirement lives in two distinct places, and the difference matters for what you actually have to buy. DORA is Regulation (EU) 2022/2554, adopted 14 December 2022 and applicable from 17 January 2025 (Art. 64). Its testing regime sits in Chapter IV, Articles 24 to 27.

Art. 24(1) sets the frame: all financial entities except microenterprises must "establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework." Art. 25(1) then lists the baseline tests that programme has to draw on:

"vulnerability assessments and scans, open source analyses, network security assessments, gap analyses ... and penetration testing."

— Art. 25(1), Regulation (EU) 2022/2554 (DORA)

So penetration testing is named directly, as one component of a recurring programme, not a one-off box to tick. BaFin frames the shift bluntly.

"DORA's most important accomplishment is the creation of a single rulebook, i.e. a regulatory framework for managing ICT risks that is applicable throughout Europe."

BaFin, 12.04.2024

Who has to run advanced TLPT under Art. 26?

Not everyone. This is where most summaries blur the line. Art. 26 introduces advanced testing through Threat-Led Penetration Testing: a full-scope, threat-intelligence-led red-team exercise. It is required "at least every 3 years" (Art. 26(8)), but only for financial entities the competent authority identifies, taking the proportionality criteria of Art. 4(2) into account. Being in scope for DORA does not automatically put you in scope for TLPT.

When TLPT does apply, the bar is high: under Art. 26(2), each test "shall cover several or all critical or important functions ... and shall be performed on live production systems." The methodological detail is set out in the Regulatory Technical Standards under Art. 26(11), the ESAs Joint Committee final report JC 2024-29 (17 July 2024).

One common error worth killing here: TIBER-EU is the methodological reference for TLPT, not its legal basis. Art. 26(11) directs the RTS to be developed "in accordance with the TIBER-EU framework," and the ECB updated TIBER-EU in 2024 to align with DORA. But the obligation itself comes from Art. 26 and the RTS.

"The TIBER-EU framework can also assist competent authorities and financial entities in meeting the requirements for threat-led penetration tests under the Digital Operational Resilience Act (DORA)."

European Central Bank, TIBER-EU

The practical read: TLPT is a specialist engagement scoped around threat intelligence and an entity's critical functions, emulating a named adversary across the whole organisation. It is a different discipline from the recurring application-layer testing that Art. 25 asks every entity to run, and no honest vendor should blur the two.

Who does DORA affect?

A wide slice of the financial sector. Art. 2 lists credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurers and reinsurers, central securities depositories, central counterparties, trading venues, and ICT third-party service providers, among others. The count is large.

over 3,600
Financial-sector entities to which DORA applies in Germany alone — each required to run the Art. 24 resilience testing programme.Source: BaFin, 12.04.2024 (bafin.de). DeepMantis prices per deepmantis.io/en#pricing (as of July 2026).

"In Germany, DORA is applicable to over 3,600 entities of the financial sector."

BaFin, 12.04.2024

Readiness has lagged the deadline. As reported from the Deloitte DORA European Survey, around 50 per cent of institutions expected to reach full compliance by the end of 2025, while 38 per cent pushed their target into 2026. DORA also fixes accountability at the top: BaFin stresses that "the responsibility for managing a company's ICT risks lies at management level, i.e. with the managing directors or members of the executive board" (BaFin, 12.04.2024). Deferring the testing programme is a management-level exposure, not an IT-department footnote.

What are the penalties under DORA?

Two regimes, and they must not be mixed up. For financial entities, Art. 50 sets a framework: administrative penalties must be "effective, proportionate and dissuasive," but DORA leaves the actual fine amounts to Member State transposition. There is no single EU-wide turnover cap for financial entities in DORA itself; the numbers you can quote depend on your national implementation.

For critical ICT third-party service providers, DORA does set a hard figure. Art. 35 empowers the Lead Overseer to impose a periodic penalty payment of "up to 1% of the average daily worldwide turnover ... in the preceding business year", charged daily for up to six months. That cap is in the Regulation itself and safe to cite directly (Regulation (EU) 2022/2554). If you are a financial entity rather than a designated critical ICT provider, treat any "% of turnover" fine figure as national-law territory and verify it against your transposition act.

How does autonomous testing fit the DORA baseline?

For the Art. 25 baseline (recurring vulnerability assessments, scans, and penetration testing), the economics of person-day pricing collide directly with the "sound and comprehensive ... testing programme" language of Art. 24(1). A programme means recurrence, and recurrence at manual day rates gets expensive fast across a portfolio of applications and APIs.

DeepMantis runs autonomous engagements across the web applications and APIs in scope, with a reproducible proof of concept for every finding. This maps to the Art. 25 baseline components (vulnerability assessment, penetration testing) run continuously rather than as an annual snapshot. The public price list names three tiers: €890 for a single-surface application, €3,800 for a connected product with sensitive data, and €7,500 for a distributed system with regulated data; monthly testing starts at €99 (billed annually). The audit-ready PDF report documents the attack path, reproduction steps, and proven impact per finding: the evidence a resilience testing programme needs to show.

What DeepMantis does not do is TLPT. Threat-Led Penetration Testing under Art. 26 is a specialist, threat-intelligence-led red-team engagement that emulates a named adversary against an entity's critical functions on live production, reaching across network, identity, and lateral movement, scoped and governed under the RTS. That is a distinct discipline, not a deeper version of application testing. Within the Art. 25 baseline, DeepMantis runs full exploitation: it does not just flag a SQL injection or an access-control flaw, it exploits it and ships the reproducible proof. But if your competent authority has named you for TLPT, that is a different procurement: engage a qualified TLPT provider. DeepMantis addresses the recurring baseline that applies to the far larger population of in-scope entities; it is not a substitute for the advanced tier.

Frequently asked questions

Is penetration testing mandatory under DORA?

Penetration testing is named in Art. 25(1) as one of the baseline tests a financial entity's resilience testing programme must draw on, and Art. 24(1) makes that programme mandatory for all in-scope entities except microenterprises. So while DORA does not prescribe a specific pentest cadence for everyone, evidence-producing penetration testing is a named, expected component of the baseline programme.

Who has to do TLPT under DORA?

Only financial entities that the competent authority identifies, based on the proportionality criteria in Art. 4(2). Those entities must run Threat-Led Penetration Testing at least every three years, covering several or all critical or important functions on live production systems. Being subject to DORA does not automatically mean you are subject to TLPT.

No. The legal basis is Art. 26 of DORA plus the Regulatory Technical Standards (JC 2024-29). TIBER-EU is the methodological reference the RTS is built "in accordance with." The ECB updated it in 2024 to align with DORA, but it is a framework, not the source of the obligation.

What are the fines under DORA?

For financial entities, Art. 50 requires "effective, proportionate and dissuasive" penalties but leaves the amounts to national transposition, so the specific fine ceiling depends on your Member State's implementation. For designated critical ICT third-party providers, Art. 35 sets a periodic penalty payment of up to 1% of average daily worldwide turnover, charged daily for up to six months.

Further reading


As of July 2026. Legal provisions cited from Regulation (EU) 2022/2554 (DORA) via EUR-Lex, the ESAs RTS on TLPT (JC 2024-29), BaFin, the ECB, and the Deloitte DORA European Survey. This page is not legal advice; verify your entity's classification and any TLPT designation with your competent authority and qualified counsel. DeepMantis methodology and scope limits are documented on the security page.

Want findings like these for your own stack?

Start your pentest

More articles

Request a Pentest

Fill out the form and we'll get back to you within 24 hours.

Tell us about your project

Protected by Cloudflare Turnstile.

HQ
Hamburg, Germany
Prefer to talk first?
Book a 15-min call