DORA Penetration Testing Providers
Digital Operational Resilience Act · Europe
DORA is the EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. Effective from January 2025, DORA requires financial entities to implement advanced testing of ICT tools, systems, and processes. Article 26 specifically mandates threat-led penetration testing (TLPT) for significant financial entities, to be conducted at least every three years using frameworks like TIBER-EU.
DORA goes beyond traditional penetration testing requirements by mandating that testing be conducted by qualified, independent testers using threat intelligence to simulate real adversary tactics, techniques, and procedures. The regulation covers banks, insurance companies, investment firms, payment institutions, and ICT third-party service providers to the financial sector.
DORA's TLPT requirements are among the most rigorous in any regulatory framework, requiring testers to demonstrate advanced capabilities in adversary simulation, threat intelligence, and financial sector expertise. Non-compliance can result in significant penalties and regulatory action from financial supervisory authorities.
Bulletproof
CREST-accredited UK cybersecurity and compliance provider offering penetration testing, managed security services, and regulatory consultancy to over 2,000 customers from its Stevenage headquarters.
CovertSwarm
Subscription-based offensive cybersecurity firm delivering continuous cyber attack services with CREST STAR and CBEST accreditations from its London headquarters.
CyberLab
Cardiff-based CREST and CHECK-accredited cyber security company delivering penetration testing, red teaming, and OT security assessments as part of the Chess Group.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
RedSecLabs
CREST-certified and PCI QSA penetration testing consultancy in London, delivering offensive security and compliance services across 25+ countries with research-driven expertise.
SEC Consult
Leading European cybersecurity consultancy from Vienna with a prolific vulnerability research program and deep expertise in IoT and embedded systems security.
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
WithSecure
Leading European cybersecurity firm offering penetration testing with deep expertise in EU regulatory compliance including GDPR, NIS 2, and TIBER-EU.
DORA FAQs
What is threat-led penetration testing (TLPT) under DORA?+
TLPT under DORA requires realistic adversary simulation based on threat intelligence, targeting live production systems of financial entities. It follows frameworks like TIBER-EU and must be performed by qualified external testers.
Who must comply with DORA's TLPT requirements?+
Significant financial entities as identified by supervisory authorities, including major banks, insurance companies, investment firms, and central counterparties.
How often must TLPT be performed under DORA?+
DORA requires TLPT at least every three years for entities that meet the significance threshold, with the scope and timing coordinated with financial supervisory authorities.