DORA Penetration Testing Providers
Digital Operational Resilience Act · Europe
DORA is the EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. Effective from January 2025, DORA requires financial entities to implement advanced testing of ICT tools, systems, and processes. Article 26 specifically mandates threat-led penetration testing (TLPT) for significant financial entities, to be conducted at least every three years using frameworks like TIBER-EU.
DORA goes beyond traditional penetration testing requirements by mandating that testing be conducted by qualified, independent testers using threat intelligence to simulate real adversary tactics, techniques, and procedures. The regulation covers banks, insurance companies, investment firms, payment institutions, and ICT third-party service providers to the financial sector.
DORA's TLPT requirements are among the most rigorous in any regulatory framework, requiring testers to demonstrate advanced capabilities in adversary simulation, threat intelligence, and financial sector expertise. Non-compliance can result in significant penalties and regulatory action from financial supervisory authorities.
Particularly relevant for Financial services pen testing providers.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
SECFORCE
Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
Bulletproof
CREST-accredited UK cybersecurity and compliance provider offering penetration testing, managed security services, and regulatory consultancy to over 2,000 customers from its Stevenage headquarters.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
WithSecure
Helsinki-headquartered Finnish cybersecurity firm with roots dating to 1988, offering CREST-accredited penetration testing and deep expertise in EU regulatory compliance including GDPR, NIS 2, and TIBER-EU.
CovertSwarm
Subscription-based offensive cybersecurity firm delivering continuous cyber attack services with CREST STAR and CBEST accreditations from its London headquarters.
DORA FAQs
What is threat-led penetration testing (TLPT) under DORA?+
TLPT under DORA requires realistic adversary simulation based on threat intelligence, targeting live production systems of financial entities. It follows frameworks like TIBER-EU and must be performed by qualified external testers.
Who must comply with DORA's TLPT requirements?+
Significant financial entities as identified by supervisory authorities, including major banks, insurance companies, investment firms, and central counterparties.
How often must TLPT be performed under DORA?+
DORA requires TLPT at least every three years for entities that meet the significance threshold, with the scope and timing coordinated with financial supervisory authorities.