DORA Penetration Testing: Art. 24, 26, 27 compliance guide
DORA — the Digital Operational Resilience Act, applicable across the EU since January 17, 2025 — imposes two distinct penetration testing regimes on financial entities. Article 24 mandates regular tests for all in-scope entities; Article 26 mandates Threat-Led Penetration Testing (TLPT) for designated entities every 3 years; Article 27 sets reporting and authority oversight. This page maps each requirement to actionable testing practice, lists Regulatory Technical Standards (RTS) timelines, and shows how Matproof Sentinel supports Article 24 obligations and complements TLPT preparation.
What DORA actually requires — separating Art. 24 from Art. 26
A common misconception is that DORA « requires pentests » as a single requirement. In reality, DORA imposes two distinct testing regimes with very different scope, frequency, and cost implications. Article 24 — applicable to ALL in-scope financial entities — requires regular testing of ICT systems, but the depth, frequency, and methodology are calibrated to entity size and criticality. A small payment institution might satisfy Art. 24 with annual standard pentests of its key customer-facing systems. A large bank must perform much more comprehensive testing. Article 26 — applicable only to DESIGNATED entities (typically G-SIBs, large CCPs, large CSDs, systemically important payment institutions) — adds TLPT every 3 years. This is the « gold standard » test methodology built on TIBER-EU. Article 27 governs reporting: TLPT results must be shared with competent authorities, but Art. 24 standard test results are documented internally and made available on supervisory request.
- DORA Art. 24 applies to ALL financial entities in scope — banks, insurance, asset managers, payment institutions, crypto-asset service providers, central counterparties, trade repositories. ~22,000 entities across the EU.
- DORA Art. 26 (TLPT) applies only to a much narrower designated population — typically a few hundred entities EU-wide, selected by national competent authorities based on systemic criteria.
- Art. 24 testing must cover « critical or important functions » per DORA Art. 8 — not just internet-facing infrastructure. Internal systems, employee endpoints, third-party integrations are all in scope.
- Test frequency under Art. 24 is « at least once a year » for most entities, with risk-based augmentation. The Joint Committee of ESAs published guidance in 2024 detailing minimum frequency by entity type.
- Art. 24 testing must be conducted by independent parties (internal or external) with documented competency — RTS on testing (Commission Delegated Regulation 2024/1774) sets criteria.
- Failure to comply with Art. 24 testing exposes entities to supervisory enforcement, including administrative fines and management board personal liability under national transposition.
- Article 27 requires TLPT findings to be shared with the competent authority within 4 months of test completion (Art. 27(2) DORA + RTS on TLPT).
How Matproof Sentinel maps to DORA test obligations
- Article 24 — standard penetration testing of internet-facing systems: Sentinel covers OWASP Top 10, OWASP API Top 10, TLS configuration, DNS hygiene, exposed paths, JS-bundle fingerprinting. Output: audit-ready PDF reports.
- Article 24 — vulnerability assessments: Continuous CVE monitoring against your fingerprinted stack (Next.js, Laravel, Django, etc.) and dependency tree. Email alerts on new CVEs affecting your specific stack.
- Article 24 — scenario-based testing: Sample-finding cards in each report show realistic attack chains tested against your environment. Reproducible Proof-of-Exploit for each finding.
- Article 24 — performance and load testing: NOT directly covered by Sentinel. We recommend dedicated tools (k6, Locust, Loader.io) for this aspect.
- Article 24 — source code review (SAST): Available in Sentinel Growth plan (€799/mo) — AI-driven SAST against your GitHub/GitLab repos.
- Article 26 — TLPT preparation: Sentinel keeps baseline hygiene high so TLPT red teams find sophisticated issues, not misconfigurations. Sentinel reports inform TLPT scoping by showing what's externally visible.
- Article 26 — TLPT execution: Sentinel does NOT replace an accredited TLPT provider. We complement them.
- Article 27 — reporting and documentation: Sentinel reports are export-ready (PDF) and include automated mapping to DORA Articles 24/26 requirements, ISO 27001:2022 A.8.29, NIS2 Art. 21.
- Continuous evidence: Every scan, every finding, every remediation is logged with timestamps — ready for SREP examination or competent authority requests.
- What's NOT covered: TLPT red team execution (requires accredited providers), threat intelligence services, incident response playbook exercises, board-level crisis simulations.
Sample finding
DORA Art. 24 finding: outdated dependency with known critical CVE
Sentinel detected the customer's payment platform is running Next.js 14.2.1, which contains CVE-2024-43481 — a critical middleware-bypass vulnerability (CVSS 9.1). An unauthenticated attacker can bypass authentication middleware by crafting a specific x-middleware-subrequest header, gaining access to authenticated routes including the admin panel and the transaction-processing endpoints. The vulnerability was disclosed in March 2024 and patched in Next.js 14.2.25. The customer's last documented penetration test was 11 months prior and did not detect this issue because the CVE was disclosed after the test.
Fix: Immediate: upgrade Next.js to ≥14.2.25 or 15.0.4 (or 13.5.7 if pinned to v13). Verify the patch by attempting the exploit against staging (Sentinel provides the verification curl command). Process: implement automated dependency scanning in CI/CD (Renovate, Dependabot, or Sentinel's continuous scanning) so newly disclosed CVEs are flagged within 24 hours of disclosure, not at the next annual pentest. For DORA Art. 24 compliance: this finding and its remediation must be documented in your ICT risk register and remediation log — Sentinel auto-generates this documentation.
Reference: CVE-2024-43481 (CVSS 9.1) · DORA Art. 24 + RTS on testing · ISO 27001:2022 A.8.8 Vulnerability Management
DORA Art. 24 testing options
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Matproof Sentinel for DORA Art. 24
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about DORA penetration testing
Does my financial entity need to do TLPT?
Only if you're designated by your national competent authority. Designation is based on criteria including: G-SIB status, size of operations (typically €>30bn assets), criticality of services to the financial system, exposure to systemic risk. Most financial entities will NOT be designated — but ALL in-scope entities must satisfy Article 24 standard testing requirements. Check with your national authority (BaFin in DE, ACPR in FR, Banca d'Italia in IT, DNB in NL, CBI in IE, etc.) for your specific designation status.
What level of penetration testing satisfies Article 24?
The Joint Committee of ESAs issued guidance in 2024 setting risk-based minimum requirements. For most mid-sized financial entities: annual external pentest of all internet-facing applications + quarterly vulnerability assessments + continuous dependency monitoring + ad-hoc tests after major changes. For larger entities or systemically important ones: more frequent testing, broader scope, segregation of testing teams from operational staff. Document everything in your ICT risk management framework (DORA Art. 6).
Can automated tools satisfy DORA Article 24?
Partially. Automated tools (like Matproof Sentinel) cover the bulk of Art. 24 requirements: vulnerability scanning, OWASP testing, configuration review, dependency monitoring. They MUST be supplemented with manual penetration testing for: business logic flaws, complex authorization chains, social engineering resistance, scenario-based testing of critical functions. A typical satisfactory program: continuous Sentinel scanning + annual manual pentest from a qualified external provider.
How often must Art. 24 tests be performed?
« At least annually » is the typical floor for most entities. Higher frequency for: (a) critical or important functions (DORA Art. 8 designation), (b) after major changes to ICT systems, (c) entities with prior supervisory findings, (d) entities classified as systemically important. For TLPT (Art. 26): every 3 years for designated entities. Continuous scanning between formal tests is increasingly expected even where not strictly required.
Who can perform DORA pentests?
Under Art. 24, testers must be « independent » — either internal teams structurally separated from operations, or external providers. Required competencies are specified in RTS on testing (Commission Delegated Regulation 2024/1774): demonstrated expertise, professional certifications (OSCP, OSWE, CRT recommended), professional indemnity insurance, clean conflict-of-interest declarations. For Art. 26 (TLPT): only accredited TLPT providers per the specific RTS — narrower list.
How do I document DORA pentest evidence?
Document everything: test scope, methodology, findings (with severity), remediation plans, completion timestamps, residual risk acceptance (signed by accountable executive). Store in your ICT risk register (DORA Art. 6) for at least 5 years. Make available for supervisory inspection on request. Matproof Sentinel auto-generates this documentation in audit-ready format and exports to compliance platforms (Drata, Vanta, OneTrust). For TLPT specifically: structured reporting per RTS on TLPT, shared with competent authority within 4 months.
What if we use a critical third-party ICT service provider?
DORA Art. 28 imposes a separate « third-party risk register » obligation, and Art. 30 requires contractual rights to test or have testing performed on critical third parties. Practically: for TLPT (designated entities), critical third parties must be included in scope or have their own equivalent testing demonstrated. For Art. 24 standard testing: include third-party-provided functions where they support critical operations. Matproof Sentinel can be used to test SaaS providers in your supply chain where you have authorization.
What are the penalties for DORA non-compliance on testing?
Penalties are set by national transposition and vary by Member State. Typical ranges: administrative fines up to 1% of average daily turnover for systematic violations, individual liability for board members for « grossly negligent » failures. Supervisory enforcement can include mandatory remediation plans, restricted activities, increased supervisory examination frequency. More importantly: a supervisor that loses confidence in your operational resilience may escalate scrutiny across all DORA pillars — risk management, incident reporting, third-party risk — creating sustained operational burden.
Go deeper — related blog articles
Start your DORA Art. 24 testing today
Get a baseline scan in 3 minutes, full DORA-mapped pentest report in 30-60 minutes. Audit-ready, with explicit mapping to Art. 24 requirements.
Run free DORA scan