Testing required by the EU Digital Operational Resilience Regulation (DORA): what financial institutions need to know

Opinion by Andrei Ionescu, Partner, Consulting Market Leader and Central Europe Cyber ​​Leader, and Dragoș Ionică, Senior Manager Cyber ​​Security, Deloitte Romania

The EU Digital Operational Resilience Act (DORA), which entered into force this year, brings a set of clear obligations for financial institutions. One of the most important requirements is that entities considered significant must carry out threat-led penetration testing (TLPT) on all critical information and communication technology systems and applications and on important functions in the production environment. These tests must be repeated every three years. To support the consistent implementation of these tests, the European Central Bank (ECB) recently published the guide How to implement the TIBER-EU Framework for the DORA TLPT of significant institutions, which explains step by step how the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) framework is used to meet the requirements of DORA. The document provides clarity on the responsibilities of institutions, the testing stages and how supervisors coordinate the entire process.

What does the European Central Bank Guide state

The Guide starts from the premise that TIBER-EU is the reference methodology for Threat-Led Penetration Testing, as it offers a realistic approach based on threat intelligence and sophisticated “red team” scenarios. The ECB clearly defines the selection criteria for significant institutions subject to mandatory testing and the roles of all actors involved, from the TLPT Authority (ECB), to the Test Manager, Control Team, Threat Intelligence Provider (TIP) and Red Team Testers (RTT). It also establishes a three-phase structure for testing: preparation, testing and closure, each containing critical activities such as defining essential functions, risk assessment, scenario creation, simulated attacks on live systems and the “replay/purple teaming” phase. In addition, the new Guide imposes strict requirements for confidentiality, team separation, risk management and maintaining operational realism throughout the exercise.

With this guide, the ECB is taking a key step towards standardizing the way TLPT is carried out across the euro area, ensuring that testing is consistent, secure and focused on real results in terms of operational resilience.

The importance of Threat-Led Penetration Testing for the financial sector

TLPT is more than just a technical exercise. It represents a realistic simulation of an advanced attack on the institution’s critical services, with the aim of assessing the ability of systems to detect, delay and block sophisticated attacks, the maturity of processes and collaboration between security and operational teams, as well as the real level of resilience of critical functions such as payments, card services, mobile banking, SWIFT infrastructure, core banking systems, etc.

The final result is not just a report, but an improvement plan with a direct impact on security and business continuity.

What do the financial institutions need to consider when implementing TLPT testing requirements

Implementing a TLPT testing according to TIBER-EU requires multidisciplinary expertise, practical experience in red teaming and a deep understanding of DORA requirements. Financial institutions need specialized teams, ideally with experience in complex projects for central banks, systemic institutions and critical infrastructure operators, as well as expertise in relevant European regulations, such as DORA, NIS2, TIBER-EU. Another important aspect is the end-to-end operational capability – from defining critical functions, to executing attack scenarios, coordinating teams, to analyzing results and developing remediation plans.