{"id":157689,"date":"2024-07-23T15:09:09","date_gmt":"2024-07-23T13:09:09","guid":{"rendered":"https:\/\/www.fma.gv.at\/?page_id=157689"},"modified":"2025-09-22T11:31:59","modified_gmt":"2025-09-22T09:31:59","slug":"dora-digital-operational-resilience-testing","status":"publish","type":"page","link":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/","title":{"rendered":"DORA &#8211; Digital operational resilience testing"},"content":{"rendered":"<?xml encoding=\"utf-8\" ?><div class=\"wp-block-cover\"><img loading=\"lazy\" decoding=\"async\" width=\"1700\" height=\"716\" class=\"wp-block-cover__image-background wp-image-50880\" alt=\"\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-Testen-der-digitalen-operationalen-Resilienz.jpg\" data-object-fit=\"cover\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-Testen-der-digitalen-operationalen-Resilienz.jpg 1700w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-Testen-der-digitalen-operationalen-Resilienz-320x135.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-Testen-der-digitalen-operationalen-Resilienz-640x270.jpg 640w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-Testen-der-digitalen-operationalen-Resilienz-1536x647.jpg 1536w\" sizes=\"auto, (max-width: 1700px) 100vw, 1700px\" \/><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#6f6f72\"><\/span><div class=\"wp-block-cover__inner-container is-layout-constrained wp-block-cover-is-layout-constrained\">\n<p class=\"has-text-align-right has-medium-font-size wp-block-paragraph\"><strong>Digital operational resilience testing<\/strong><\/p>\n<\/div><\/div><div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div><p class=\"wp-block-paragraph\">The requirements regarding digital operational resilience tests cover the general testing programme that all financial entities are required to observe and the threat-led penetration testing (TLPT) required to be conducted on live production systems, that only relate to financial entities that only meet individual prescribed criteria.<\/p><h2 class=\"wp-block-heading\">General testing programme<\/h2><p class=\"wp-block-paragraph\">Financial entities draw up comprehensive programmes for testing their digital operational resilience, for example containing vulnerability assessments and scans, gap analyses, source code reviews, scenario-based tests or penetration tests.<\/p><p class=\"wp-block-paragraph\">The tests are conducted by independent internal or external parties. In the case of an internal test being conducted sufficient resources are to be made available, and it must be ensured that no conflicts of interest arise of the duration of the entire test.<\/p><p class=\"wp-block-paragraph\">All identified weaknesses are prioritised, classified and remedied. <\/p><p class=\"wp-block-paragraph\">Appropriate tests are conducted on all ICT systems and applications supporting critical or important functions at least yearly.<\/p><h2 class=\"wp-block-heading\">Threat-Led Penetration Testing<\/h2><p class=\"wp-block-paragraph\">Significant financial entities are required to conduct threat-led penetration tests. Such tests &ndash; including those conducted in a production environment focus on the entity&rsquo;s core IT systems. <\/p><p class=\"wp-block-paragraph\">The specific methodology to be applied for such tests under DORA is based on the TIBER-EU framework. TIBER stands for &ldquo;Threat Intelligence-Based Ethical Red Teaming&rdquo; and is being implemented in Austria by&nbsp;<a href=\"https:\/\/www.fma.gv.at\/en\/tiber-at\/\">TIBER-AT<\/a>.<\/p><h2 class=\"wp-block-heading\">Information about ICT tests pursuant to Article 25 (1) DORA<\/h2><p class=\"wp-block-paragraph\">Under Article 25 (1) DORA, financial entities are expected to conduct various types of tests (e.&#8239;g. vulnerability assessments and scans, network security assessments, source code reviews, performance testing, end-to-end testing and penetration testing).<\/p><p class=\"wp-block-paragraph\">Such tests apply for all financial entities falling in the scope of DORA, although the depth and frequency of such tests depends on the entity&rsquo;s size and complexity, their general risk profile, the criticality of the ICT systems in questions, usage of outsourcing or cloud services, material changes to the ICT infrastructure as well as the remediation of incidents (risk-based approach, see Article 4 (2) DORA).<\/p><h3 class=\"wp-block-heading\">Recognised Standards and Accreditation<\/h3><p class=\"wp-block-paragraph\">DORA does not refer to specific standards or frameworks. The FMA is therefore unable to make specific recommendations for implementation based on a specific standard.<\/p><p class=\"wp-block-paragraph\">Requirements regarding testers are defined in Article 24 (4) DORA in particular. There is no Austria-specific DORA accreditation for testers for testing pursuant to Article 25 DORA.<\/p><h3 class=\"wp-block-heading\">Frequency of Testing<\/h3><p class=\"wp-block-paragraph\">The corresponding requirements in DORA include:<\/p><ul class=\"wp-block-list\">\n<li>a risk-based approach: Testing should be commensurate to the entity&rsquo;s risk profile.<\/li>\n\n\n\n<li>event-based triggers: Following larger changes, incidents or upgrades in relation to ICT.<\/li>\n\n\n\n<li>testing conducting at least annually: for critical systems and services.<\/li>\n\n\n\n<li>TLPT (threat-led penetration testing): expected to be conducted every three years for entities that have been classified as critical.<\/li>\n<\/ul><h3 class=\"wp-block-heading\">Evidential and documentation requirements<\/h3><p class=\"wp-block-paragraph\">Supervisory expectations under Article 25 DORA include, for example:<\/p><ul class=\"wp-block-list\">\n<li>testing plans and definition of scope<\/li>\n\n\n\n<li>rules for conducting tests (especially for penetration testing)<\/li>\n\n\n\n<li>detailed reports with outcomes, severities and remediation actions<\/li>\n\n\n\n<li>proof that vulnerabilities have been overcome<\/li>\n<\/ul><p class=\"wp-block-paragraph\">Since testing may be conducted by independent internal or external parties, third-party certificates are acceptable, provided that the provider is independent and suitably qualified.<\/p><p class=\"wp-block-paragraph\">Entities must retain documentation and make it available to the competent authorities upon request.<\/p><h2 class=\"wp-block-heading\" id=\"dora-testen\">Questions and Answers<\/h2><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c5429a\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c5429a\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c5429a\">        <span>Which financial entities are required to conduct Threat-Led Penetration Tests?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c5429a\" class=\"collapse\" aria-labelledby=\"heading-6a23805c5429a\">    <div class=\"card-body\"><p>The DORA Regulation (DORA) stipulates the criteria for identifying financial entities required to conduct TLPT. They comprise of impact-related factors, possible financial stability concerns, the specific ICT risk profile and the level of ICT maturity of the financial entity (Article 26 (8) DORA).<\/p>\n<p>Article 2 of <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=OJ:L_202501190\" class=\"external\" target=\"_blank\" rel=\"noopener\">Delegated Regulation (EU) 2025\/1190<\/a>&nbsp;specifies these criteria more closely.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c54380\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c54380\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c54380\">        <span>Is Threat-Led Penetration Testing required to be completed during the first year or within the first three years?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c54380\" class=\"collapse\" aria-labelledby=\"heading-6a23805c54380\">    <div class=\"card-body\"><p>Generally a TLPT must be conducted within a three-year window form January 2025 (for example between 17 January 2025 and 16 January 2028). To avoid extreme strain, where possible (although TLPT and IT audits are conducted by different teams) a collision check will be conducted against ongoing IT audits at the institution.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c5444c\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c5444c\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c5444c\">        <span>Will the obligation of a parent undertaking to conduct TLPT also be extended to (especially small) subsidiaries, and if yes, how will this obligation be transferred to them?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c5444c\" class=\"collapse\" aria-labelledby=\"heading-6a23805c5444c\">    <div class=\"card-body\"><p>Generally, all subsidiaries are also obliged to conduct TLPT, although under certain circumstances they may be excluded from having to do so by the competent authority. From proportionality-based considerations this will also especially depend on the size and systemic bearing of the subsidiary institutions within the respective member state,<\/p>\n<p>In addition, the (non-)inclusion of subsidiaries in TLPT also depends on scoping in the preparation for testing. The parent institution&rsquo;s control team prepares the scoping document, that the competent TIBER test manager then releases in consultation with the competent authority. The added value of also including smaller subsidiary institutions within the same member state in the scoping of the TLPT is expected to be low, especially where they use the same IT infrastructure as the mother institution. Ultimately the (non-)inclusion of subsidiaries always remains a case-by-case decision.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c544fb\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c544fb\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c544fb\">        <span>Do more precise interpretation notes exist that explain for which entities it would be disproportionate to conduct penetration tests?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c544fb\" class=\"collapse\" aria-labelledby=\"heading-6a23805c544fb\">    <div class=\"card-body\"><p>The TLPT as an advanced penetration test in accordance with Article 26 DORA is considered a sophisticated methodology for identifying a financial undertaking&rsquo;s cybersecurity vulnerabilities. However, the TLPT is also very resource-intensive.<\/p>\n<p><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=OJ:L_202501190\" class=\"external\" target=\"_blank\" rel=\"noopener\">Delegated Regulation (EU) 2025\/1190<\/a> specifies the requirements set out in Articles&nbsp;26 and 27 DORA. Material criteria for identifying which entities are required to conduct TLPTs are the entity&rsquo;s systemic relevance, its impact on financial stability, its ICT risk profile and maturity as well as technological characteristics.<\/p>\n<p>Please see the following question regarding regular penetration tests.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c545a1\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c545a1\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c545a1\">        <span>Are penetration tests pursuant to Article 25 (1) DORA optional as the formulation &ldquo;such as&rdquo; refers to a list of examples, and therefore follows the principle of proportionality?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c545a1\" class=\"collapse\" aria-labelledby=\"heading-6a23805c545a1\">    <div class=\"card-body\"><p>The tests listed in Article&nbsp;25 (1) DORA are to be understood as examples. All financial entities are not expected to conduct all the tests listed therein. Every institution&rsquo;s testing programmes should however be designed in accordance with the principle of proportionality.<\/p>\n<p>While the rules stated in Articles 24 and 25 DORA generally apply for all financial entities, advanced testing of ICT tools, systems and processes based on TLPT are only required to be conducted by selected financial entities, who are informed by the FMA in a timely manner.<\/p>\n<p>TLPT is defined in Article 3 (17) DORA as: &ldquo;threat-led penetration testing&rdquo;. TLPT means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat. TLPT delivers a controlled, bespoke, intelligence-led (red team) test of the respective financial entity&rsquo;s critical live production systems.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a23805c54643\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a23805c54643\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a23805c54643\">        <span>To what extent would it be possible to use internal &ldquo;red teaming&rdquo; for TLPT at the authorities&rsquo; request?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a23805c54643\" class=\"collapse\" aria-labelledby=\"heading-6a23805c54643\">    <div class=\"card-body\"><p><!-- wp:paragraph --><\/p>\n<p>In any case, it is necessary to highlight that only external &ldquo;red teaming&rdquo; is intended pursuant to Article 26 (8) DORA for significant institutions under the SSM Regulation definition. This paragraph also defines that financial entities that make use or internal testers must contract external testers for every third test. For further information please consult: <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=OJ:L_202501190\" class=\"external\" target=\"_blank\" rel=\"noopener\">Delegated Regulation (EU) 2025\/1190<\/a>.<\/p>\n<p><!-- \/wp:paragraph --><\/p>    <\/div>  <\/div><\/div><p class=\"wp-block-paragraph\">The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These &ldquo;Questions and Answers&rdquo; do not constitute the FMA&rsquo;s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&amp;As) of the three European Supervisory Authorities (EBA &ndash; European Banking Authority, ESMA &ndash; European Securities and Markets Authority, and EIOPA &ndash; European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.<\/p><h2 class=\"wp-block-heading\">Legal bases<\/h2><p class=\"wp-block-paragraph\">Information regarding the legal bases for DORA can be found on the FMA&rsquo;s <a href=\"https:\/\/fma.gv.at\/dora-digitale-operationale-resilienz-im-finanzsektor\/#dora-law\" target=\"_blank\" rel=\"noreferrer noopener\">&ldquo;<\/a><a href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/\" target=\"_blank\" rel=\"noreferrer noopener\">DORA &ndash; Digital Operational Resilience in the Financial Sector&rdquo;<\/a> web page.<\/p><section class=\"page-teaser\"><div class=\"container\"><div class=\"row\"><div class=\"col-12 custom-height\"><h2>Further Information about DORA<\/h2><hr><\/div><\/div><div class=\"row\"><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/\">DORA &ndash; Digital operational resilience in the financial sector<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1700\" height=\"716\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg 1700w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-320x135.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-640x270.jpg 640w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-1536x647.jpg 1536w\" sizes=\"auto, (max-width: 1700px) 100vw, 1700px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/\">DORA &ndash; ICT Risk Management<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-related-incidents\/\">DORA &ndash; ICT-related incidents<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-managing-of-ict-third-party-risk\/\">DORA &ndash; Managing of ICT third-party risk<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-oversight-framework-of-critical-ict-third-party-service-providers\/\">DORA &ndash; Oversight framework of critical ICT third-party service providers<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-exchange-of-information-and-contingency-exercises\/\">DORA &ndash; Exchange of information and contingency exercises<\/a><\/h3><\/div><hr><\/div><\/div><\/div><\/div><\/section>\n","protected":false},"excerpt":{"rendered":"<p>The requirements regarding digital operational resilience tests cover the general testing programme that all financial entities are required to observe &#8230;<\/p>\n","protected":false},"author":20,"featured_media":50887,"parent":52247,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"landing-page.php","meta":{"inline_featured_image":false,"footnotes":""},"class_list":["post-157689","page","type-page","status-publish","has-post-thumbnail","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>DORA - Digital operational resilience testing - FMA \u00d6sterreich<\/title>\n<meta name=\"description\" content=\"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DORA - Digital operational resilience testing - FMA \u00d6sterreich\" \/>\n<meta property=\"og:description\" content=\"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/\" \/>\n<meta property=\"og:site_name\" content=\"FMA \u00d6sterreich\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-22T09:31:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1320\" \/>\n\t<meta property=\"og:image:height\" content=\"440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@FMA_AT\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/\",\"name\":\"DORA - Digital operational resilience testing - FMA \u00d6sterreich\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg\",\"datePublished\":\"2024-07-23T13:09:09+00:00\",\"dateModified\":\"2025-09-22T09:31:59+00:00\",\"description\":\"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg\",\"contentUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg\",\"width\":1320,\"height\":440},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-digital-operational-resilience-testing\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cross-sectoral topics\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DORA \u2013 Digital operational resilience in the financial sector\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"DORA &#8211; Digital operational resilience testing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\",\"name\":\"FMA \u00d6sterreich\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#organization\",\"name\":\"FMA - Finanzmarktaufsicht\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2017\\\/05\\\/FMA_Logo_Twitter_400x400.png\",\"contentUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2017\\\/05\\\/FMA_Logo_Twitter_400x400.png\",\"width\":400,\"height\":400,\"caption\":\"FMA - Finanzmarktaufsicht\"},\"image\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/FMA_AT\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DORA - Digital operational resilience testing - FMA \u00d6sterreich","description":"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/","og_locale":"en_US","og_type":"article","og_title":"DORA - Digital operational resilience testing - FMA \u00d6sterreich","og_description":"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)","og_url":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/","og_site_name":"FMA \u00d6sterreich","article_modified_time":"2025-09-22T09:31:59+00:00","og_image":[{"width":1320,"height":440,"url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@FMA_AT","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/","url":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/","name":"DORA - Digital operational resilience testing - FMA \u00d6sterreich","isPartOf":{"@id":"https:\/\/www.fma.gv.at\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/#primaryimage"},"image":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg","datePublished":"2024-07-23T13:09:09+00:00","dateModified":"2025-09-22T09:31:59+00:00","description":"Information about requirements for digital operational resilience testing for the general testing programme and threat-led penetration testing (TLPT)","breadcrumb":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/#primaryimage","url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg","contentUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg","width":1320,"height":440},{"@type":"BreadcrumbList","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fma.gv.at\/en\/"},{"@type":"ListItem","position":2,"name":"Cross-sectoral topics","item":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/"},{"@type":"ListItem","position":3,"name":"DORA \u2013 Digital operational resilience in the financial sector","item":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/"},{"@type":"ListItem","position":4,"name":"DORA &#8211; Digital operational resilience testing"}]},{"@type":"WebSite","@id":"https:\/\/www.fma.gv.at\/en\/#website","url":"https:\/\/www.fma.gv.at\/en\/","name":"FMA \u00d6sterreich","description":"","publisher":{"@id":"https:\/\/www.fma.gv.at\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fma.gv.at\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fma.gv.at\/en\/#organization","name":"FMA - Finanzmarktaufsicht","url":"https:\/\/www.fma.gv.at\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fma.gv.at\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2017\/05\/FMA_Logo_Twitter_400x400.png","contentUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2017\/05\/FMA_Logo_Twitter_400x400.png","width":400,"height":400,"caption":"FMA - Finanzmarktaufsicht"},"image":{"@id":"https:\/\/www.fma.gv.at\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/FMA_AT"]}]}},"toolset-meta":[],"publishpress_future_action":{"enabled":false,"date":"2026-06-13 04:05:16","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"translation_priority","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/157689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/comments?post=157689"}],"version-history":[{"count":4,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/157689\/revisions"}],"predecessor-version":[{"id":16123669,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/157689\/revisions\/16123669"}],"up":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/52247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/media\/50887"}],"wp:attachment":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/media?parent=157689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}