Introduction
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening the operational resilience of financial entities against ICT-related disruptions. Among its provisions, Articles 26 and 27 set out specific requirements around advanced testing of critical functions and the qualifications of testing teams.
Article 26: Advanced Threat-Led Testing
Article 26 requires financial entities to perform advanced testing, specifically threat-led penetration tests (TLPT), at least once every three years (Digital Operational Resilience Act (DORA), Article 26). These tests must cover critical or important functions and are performed on live production systems, including all underlying ICT systems and outsourced providers (Digital Operational Resilience Act (DORA), Article 26). The scope of the test is validated by the competent authority; pooled testing with third-party providers is possible; credit institutions considered significant must rely on external testers; and internal testers must engage external testers every third test (Digital Operational Resilience Act (DORA), Article 26).
Article 27: Requirements for Testers
Article 27 focuses on the qualifications of the teams that carry out TLPT. Testers must be of the highest suitability and reputability and possess strong technical and organisational expertise in threat intelligence, penetration testing and red-teaming (Digital Operational Resilience Act (DORA), Article 27). They should be certified by an accreditation body and provide independent assurance or audit reports; they must also hold professional indemnity insurance (Digital Operational Resilience Act (DORA), Article 27). When internal testers are used, the competent authority must approve them, verify that they have adequate resources and ensure that conflicts of interest are avoided. Additionally, the threat-intelligence provider must always be external (Art. 27 Requirements for testers for the carrying out of TLPT).
What Do the Tests Include?
DORA’s regulatory technical standards (RTS) expand on Articles 26 and 27 by outlining how TLPT should be executed. The testing programme includes scoping documents that define critical functions, a mandatory purple-team phase that fosters collaboration between defenders and attackers, and detailed reporting to regulators (DORA Penetration Testing & TLPT Requirements Explained). The RTS also imposes a dual-vendor rule: the threat-intelligence provider and the red-team provider must be separate entities (DORA Penetration Testing & TLPT Requirements Explained). Beyond TLPT, DORA encourages a broad range of assessments, methodologies and tools, following a risk-based approach (Chapter IV – Digital operational resilience testing (Art. 24-27)). Vulnerability assessments, configuration reviews and scenario-based exercises complement TLPT to build a comprehensive resilience testing programme.
Target Audience and Responsibilities
The requirements of Articles 26 and 27 apply to a wide range of financial entities regulated under DORA, including banks, insurance companies, investment firms, payment institutions and e-money issuers. Third-party ICT service providers that support critical functions can also fall within the scope. Executives and compliance officers in these organisations must ensure that advanced testing is scheduled at least every three years, that the scope covers all critical functions, and that qualified and independent testers are engaged. They must also coordinate with competent authorities to validate testing scopes and ensure proper reporting.
Why Zerberos Can Assist
Zerberos is a sole proprietorship founded by Andriu Isenring (CISSP), specialising in penetration testing, red-team engagements and threat-intelligence services. I hold recognised certifications and have extensive experience in conducting TLPT for financial institutions. I operate independently and maintain the highest standards of reputability, ensuring compliance with Article 27 requirements. By leveraging separate threat-intelligence and red-team capabilities, I adhere to DORA’s dual-vendor rule. My purple-team approach aligns testers and defenders to maximise learning and resilience. As a Swiss company with multilingual capabilities, I can support organisations across German, English and Italian markets. I deliver clear scoping documents, risk-based testing plans and comprehensive reporting that satisfy regulatory expectations. With a strong focus on operational resilience, Zerberos is a trusted partner to help financial entities meet the stringent requirements of DORA.
Conclusion
DORA Articles 26 and 27 introduce ambitious requirements for advanced testing and the qualifications of testing teams. By mandating regular threat-led penetration tests on live systems and defining strict criteria for testers, the regulation aims to strengthen the operational resilience of the financial sector. Organisations should begin planning their TLPT programmes now, ensuring they engage reputable, certified partners and align their testing scopes with regulatory expectations. As the founder of Zerberos, I offer the expertise, independence and multilingual support needed to navigate this complex landscape and deliver high-quality tests that meet DORA’s standards.