Technical

Penetration Testing

A simulated cyberattack against a system, network, or application to evaluate its security. Penetration testing identifies vulnerabilities that could be exploited by real attackers and is required under DORA's digital operational resilience testing framework.

Penetration testing is a critical security assessment methodology where authorized security professionals attempt to exploit vulnerabilities in systems, networks, or applications using the same techniques as malicious actors. The goal is to identify security weaknesses before they can be exploited in a real attack.

DORA mandates that financial entities include penetration testing in their digital operational resilience testing program (Articles 24-27). Testing must be performed at least annually for basic testing and every three years for TLPT (for significant entities). Tests should cover network security, application security, physical security, social engineering, and wireless security as appropriate.

Penetration testing results feed directly into the risk management process, with identified vulnerabilities requiring documented remediation plans and follow-up testing to verify fixes. For DORA compliance, test results and remediation evidence must be maintained and available for supervisory review.

Related Terms

TLPT (Threat-Led Penetration Testing)

An advanced form of security testing mandated by DORA Articles 26-27 for significant financial entities. TLPT uses real-world threat intelligence to simulate adversary tactics and test an organization's detection, response, and recovery capabilities against realistic attack scenarios.

Vulnerability Management

The continuous process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Effective vulnerability management is a key requirement of DORA, ISO 27001, and SOC 2 to maintain system security and operational resilience.

DORA (Digital Operational Resilience Act)

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.

Request a demo