Introduction: DORA Is Here

On January 17, 2025, the Digital Operational Resilience Act (DORA) became applicable across the European Union. For financial entities and their service providers, this means one critical requirement is now in effect: annual penetration testing under Article 24. If you haven't started planning your DORA pentesting program, the time is now.

This guide walks you through exactly what DORA requires, who must comply, what your testing must cover, and how to implement an effective pentesting program without breaking your budget or diverting security resources.

What Is DORA and Why Does It Matter?

DORA stands for the Digital Operational Resilience Act. It's an EU regulation that sets mandatory ICT (Information and Communications Technology) security testing and incident reporting requirements for financial entities. The regulation applies to:

• Banks and credit institutions
• Investment firms and asset managers
• Insurance and reinsurance undertakings
• Payment institutions and e-money institutions
• Cryptocurrency exchange providers
• Central counterparties and trading venues
• ICT third-party service providers supporting critical or important functions for the above

In simple terms: if you provide financial services in the EU or support critical ICT functions for financial entities, DORA applies to you.

DORA Article 24: Annual Penetration Testing Requirements

Article 24 is the core penetration testing requirement under DORA. It mandates that all in-scope financial entities must conduct at least one penetration test annually. Here's what you need to know:

The Baseline Requirement

Article 24 requires financial entities to conduct advanced, independent penetration testing on at least an annual basis. The test must be:

• Comprehensive - covering your entire ICT estate, infrastructure, and critical systems
• Realistic - simulating genuine attack scenarios and advanced threat techniques
• Independent - conducted by external testers or internal teams without conflict of interest
• Documented - with detailed findings, proof of concept demonstrations, and remediation guidance

Scope and Coverage

Your annual pentesting must cover:

• All critical ICT systems and infrastructure
• Internet-facing applications and APIs
• Internal systems and lateral movement paths
• Endpoints, servers, and network infrastructure
• Third-party integrations and dependencies
• Authentication mechanisms and credential handling
• Business logic and application-level vulnerabilities

The test should not be limited to simple vulnerability scanning. It must include real exploitation attempts to verify that vulnerabilities can actually be exploited in your environment.

Timing and Frequency

DORA Article 24 specifies that testing must be conducted at least annually. However, many financial entities are moving toward more frequent testing (quarterly or even monthly) for their most critical systems to maintain continuous security awareness and catch issues earlier.

What SQUR Covers: Web Application and API Pentesting

Who Must Comply With DORA Article 24?

DORA Article 24 pentesting requirements apply to:

In-Scope Financial Entities

All financial entities regulated under DORA must conduct annual pentesting. This includes:

• Banks (large and small)
• Investment firms and portfolio managers
• Insurance companies (direct insurers and reinsurers)
• Payment service providers
• E-money institutions
• Crypto asset service providers
• Trading venues and market operators

ICT Third-Party Service Providers

If you're a service provider (cloud provider, software vendor, managed security services provider, etc.) that handles critical or important ICT functions for a financial entity, DORA applies to you as well. You may be contractually obligated by your financial institution customers to meet DORA requirements, including annual pentesting.

The DORA Pentesting Timeline

Here's what you need to know about timing:

• Applicable Since: January 17, 2025
• First Test Due: By January 17, 2026 (annual requirement starting from the date of applicability)
• Ongoing Requirement: At least annually thereafter
• Documentation: Results must be documented and available for regulatory review

If you haven't conducted your first DORA Article 24 pentest yet, you're in the window now. Planning and executing your annual test before the end of 2026 is essential to demonstrate compliance with regulators.

What Should Your DORA Pentesting Process Look Like?

Step 1: Define Scope and Objectives

Before your pentest begins, clearly define:

• Which systems and infrastructure must be tested (critical ICT systems)
• Which systems are out of scope (regulatory, security, business reasons)
• Specific objectives (identify vulnerabilities, test incident response, validate controls)
• Testing parameters (destructiveness, timing, access levels)

Step 2: Conduct Comprehensive Testing

Your pentest should include:

• External testing (internet-facing assets, email phishing, physical security)
• Internal testing (lateral movement, privilege escalation, data exfiltration)
• Application testing (OWASP Top 10, business logic flaws, authentication bypass)
• Infrastructure testing (network segmentation, cloud misconfigurations, supply chain risks)
• Social engineering assessment (phishing, pretexting, physical access)

Step 3: Document Findings Thoroughly

DORA requires detailed documentation of:

• All vulnerabilities discovered, with severity ratings
• Proof of concept demonstrations showing successful exploitation
• Business impact assessment for each finding
• Recommended remediation actions
• Timeline for fixes

Step 4: Remediate and Retest

After the initial test:

• Prioritize vulnerabilities by severity and exploitability
• Develop remediation plans with clear ownership and deadlines
• Implement fixes
• Conduct retesting to verify vulnerabilities have been resolved
• Document all remediation efforts

Step 5: Report and Archive

Create compliance-ready reports that include:

• Executive summary for board/leadership review
• Detailed technical findings with mapped severity
• DORA-specific compliance statements
• Remediation status and timelines
• Recommendations for ongoing security improvements

How Autonomous Pentesting Simplifies DORA Compliance

Speed and Efficiency

Traditional pentesting for DORA compliance can take 3 - 6 weeks of manual work, requiring coordination across your security teams and external testers. Autonomous pentesting platforms can deliver comprehensive Article 24 assessments in 24 hours, allowing you to:

• Conduct testing on your schedule without lengthy vendor coordination
• Test more frequently throughout the year to maintain security posture
• Retest faster after fixes are implemented
• Meet regulatory deadlines with confidence

Cost Reduction

Manual pentesting for DORA Article 24 can cost €10,000 - €30,000+ per test. Autonomous platforms reduce this cost by 80% or more, making regular security assessments financially feasible for mid-market and smaller financial institutions. This means you can afford:

• Multiple tests per year instead of just meeting the minimum annual requirement
• Comprehensive coverage of your web applications and APIs
• Unlimited retesting after fixes without additional costs

Deep Web and API Coverage

SQUR uses a multi-agent AI architecture to systematically explore your web applications and APIs. It doesn't rely on manual testers' time or judgment, so it can:

• Test all your web applications and API endpoints comprehensively
• Perform real exploitation (not just vulnerability detection)
• Identify complex vulnerabilities like business logic flaws, authentication bypass, injection attacks, IDOR, SSRF, and privilege escalation
• Cover the OWASP Top 10 and beyond with advanced attack techniques

Compliance-Ready Reporting

Autonomous pentesting platforms deliver reports specifically designed for regulatory review, including:

• DORA-specific compliance statements
• Findings mapped to regulatory requirements
• Executive reports for board review
• Detailed technical reports for remediation teams
• Evidence of testing for audit and regulatory files

Key Differences: DORA Article 24 vs. TLPT (Articles 26 - 27)

It's important to understand that DORA includes two distinct pentesting requirements. Here's how they differ:

Requirement	Article 24 (Annual Testing)	TLPT (Articles 26 - 27)
Applies To	All financial entities in scope	Large financial entities only
Frequency	Minimum annually	Biennial (every 2 years), with annual updates
Testing Type	Penetration testing of ICT systems	Testing of security measures, incident response, and crisis management
Authority Approval	No prior notification required	Requires prior notification and approval from competent authorities
Coordination	Can be conducted independently	Coordinated with regulators and authorities
SQUR Support	✓ Fully supported	✗ Not currently supported

Important Note: SQUR supports Article 24 annual penetration testing for web applications and APIs. For internal network testing, infrastructure pentesting, or TLPT under Articles 26 - 27, please contact us to discuss your specific needs or consider complementing SQUR with additional providers.

Common Challenges and How to Address Them

Challenge: Limited In-House Security Resources

Solution: Use autonomous pentesting platforms that don't require specialized security expertise. Your team can configure tests and review results without needing a dedicated offensive security team.

Challenge: Testing Disruption to Production Systems

Solution: Autonomous platforms allow you to define precise scope boundaries, test timing, and impact levels. You can schedule tests during maintenance windows or test in staging environments that mirror production.

Challenge: Cost of Multiple Tests per Year

Solution: Autonomous pentesting is 80% cheaper than traditional methods, making quarterly or monthly testing financially feasible. This maintains better security posture than a single annual test.

Challenge: Keeping Up With Regulatory Changes

Solution: Work with vendors whose platforms are actively updated for regulatory requirements. SQUR maintains DORA compliance mapping and updates reporting templates as regulations evolve.

Getting Started With DORA Article 24 Pentesting

If you haven't started your DORA Article 24 pentesting program, here's your action plan:

Month 1: Planning Phase

• Identify all systems in scope for DORA (critical ICT functions)
• Determine testing approach: autonomous, manual, or hybrid
• Define your testing schedule and frequency
• Select a pentesting provider or solution

Month 2 - 3: Execution Phase

• Configure scope and parameters
• Conduct your first DORA Article 24 pentest
• Review findings with your security and compliance teams
• Develop remediation plans

Month 4 - 6: Remediation Phase

• Implement fixes for identified vulnerabilities
• Conduct retesting to verify remediation
• Update your incident response procedures based on test results
• Generate final compliance-ready report

Ongoing: Maintenance Phase

• Schedule testing at least annually to maintain DORA compliance
• Consider quarterly or monthly testing for critical systems
• Update scope as your infrastructure changes
• Archive reports for regulatory review and audit purposes

What to Look for in a DORA Pentesting Solution

When evaluating pentesting tools or services for DORA Article 24 compliance, prioritize:

Real Exploitation Capabilities

Not just vulnerability detection. The tool must be able to actually exploit vulnerabilities to prove they're real security risks in your environment.

Compliance-Ready Reporting

Reports should include DORA-specific compliance language, findings mapped to regulatory requirements, and executive summaries suitable for board review.

Scope Control

Granular control over what gets tested, how it's tested, and impact levels to prevent disruption to your production systems.

Retest Capabilities

Unlimited or affordable retesting so you can verify that vulnerabilities have been fixed without breaking your budget.

Speed and Cost-Effectiveness

Fast turnaround (days, not weeks) and affordable pricing that allows regular testing beyond the minimum annual requirement.

EU Data Residency and Privacy

For financial institutions handling sensitive customer data, ensure the solution complies with GDPR and keeps data within the EU.

Final Thoughts: DORA Article 24 Is Your Security Baseline

DORA Article 24 annual pentesting is no longer optional for European financial entities - it's a regulatory requirement. But rather than seeing it as a compliance checkbox, use it as an opportunity to systematically test and improve your security posture.

The most successful financial institutions are those that:

• Test early and often (not just once per year)
• Act quickly on findings to close vulnerabilities before attackers find them
• Use testing results to inform security strategy and resource allocation
• Maintain detailed audit trails for regulatory review

With autonomous pentesting platforms like SQUR handling your web application and API security testing, you can cover the most exposed part of your attack surface quickly and affordably. For a complete DORA Article 24 program, combine this with network and infrastructure testing from specialized providers to achieve full coverage.

Ready to implement your DORA Article 24 pentesting program? Explore how SQUR helps financial entities meet DORA requirements →