This blog is the final part of a three part series all about the EU’s Digital Operational Resilience Act (DORA). In part 1, you can find a comprehensive breakdown of the act. It looks at who DORA applies to, dates for DORA compliance, recommended DORA frameworks, DORA violation penalties, and risk controls for DORA. In part 2, I shared recommendations on how organizations can manage the cost implications of DORA. Finally, in today’s blog post, I’ll examine the role continuous testing plays in DORA compliance.
When I first entered the Infosec (as it was called then) industry, penetration testing was largely treated as a one-and-done exercise completed annually or bi-annually at best in order to tick the box for compliance.
Fast-forward to today, and the term “Continuous Pentesting” has emerged, sparking a variety of interpretations that go well beyond simply running scans on a rolling basis. Ask five vendors what “continuous” means and you’ll get five different answers, spanning everything from automated passive scanning to fully staffed round-the-clock testing. Bugcrowd, for example, offers a range of ‘continuous’ testing capabilities—from traditional Bug Bounty services to a Continuous Pentesting offering, and more innovation updates coming soon.
Despite the industry buzz, there’s still no universal agreement on how to define “continuous,” but one point is clear: we’ve shifted from viewing pentesting as an occasional checkbox to a persistent state of vigilance. This approach aligns more closely with emerging compliance demands like DORA.
What does DORA say about testing approaches?
DORA mandates that financial institutions implement a structured, ongoing approach to operational resilience testing. The key areas include:
Regular operational resilience testing
- Financial entities must perform regular vulnerability assessments and penetration testing to ensure their ICT systems remain secure and robust against emerging threats.
- Tests must simulate real-world threat scenarios, including targeted attacks that financial institutions are most likely to face.
- Testing frequency and scope should be proportionate to the size and complexity of the organization.
Threat-led penetration testing (TLPT)
- Large and significant institutions must conduct threat-led penetration testing (similar to red teaming).
- These tests are designed to mimic the tactics, techniques, and procedures (TTPs) of actual threat actors.
- Tests must cover critical ICT systems, including those supporting key financial activities like payments, communications, and trading.
Validation of third-party systems
- Testing extends to third-party ICT service providers to ensure they meet resilience standards, as vulnerabilities in the supply chain are a significant focus of DORA.
Real-time monitoring and continuous improvement
- Continuous monitoring is required to detect vulnerabilities or anomalies in real time.
- Firms are expected to feed testing results back into their risk management frameworks, using findings to strengthen defenses and refine processes.
Why continuous testing is central to DORA
There are three main reasons why continuous security testing is central to DORA—the dynamic threat landscape, proactive incident prevention, and regulatory accountability.
Dynamic threat landscape
The financial sector faces constant threats from cybercriminals, state-sponsored groups, and insider risks. Continuous testing ensures firms stay ahead of evolving threats.
Proactive incident prevention
Testing isn’t just about detecting vulnerabilities but also about preventing incidents through proactive identification and mitigation of risks.
Regulatory accountability
Continuous testing provides auditable evidence of compliance with DORA, demonstrating that institutions are taking a proactive stance on resilience.
Challenges of continuous testing
In part 2 of this blog series, I examine some of the challenges of continuous testing in the context of DORA compliance. Here is a quick overview.
Resource intensity
Implementing continuous testing requires significant investment in tools, processes, and skilled personnel, which can be challenging, especially for smaller institutions.
Skills shortage
The cybersecurity skills gap makes it difficult for many organizations to hire and retain specialists capable of executing complex testing regimes like TLPT.
Scaling and frequency
Larger institutions may find it challenging to scale testing efforts across multiple ICT systems without incurring excessive costs or operational disruptions.
Third-party dependencies
Testing the resilience of third-party vendors is often complex, as it requires cooperation and alignment on security objectives.
How Bugcrowd supports continuous testing under DORA
Bugcrowd is uniquely positioned to help financial institutions meet DORA’s continuous testing requirements:
Scalable penetration testing
- Bugcrowd’s platform delivers on-demand penetration testing, allowing organizations to scale their testing efforts without overextending internal teams.
- Tests are conducted by a global community of vetted security researchers, ensuring access to the latest threat intelligence and expertise.
- Continuous Attack Surface Penetration Testing takes this one step further with an ASM led discovery of the evolving attack surface allowing immediate and continuous testing of changes.
Threat-led simulations
- Bugcrowd’s red teaming services are aligned with threat-led penetration testing requirements, simulating sophisticated attacks that financial institutions face.
Continuous vulnerability management
- The platform supports continuous vulnerability discovery and management, providing real-time insights into an organization’s security posture.
Third-party risk testing
- Bugcrowd can test the security of critical third-party systems, helping organizations meet DORA’s requirements for supply chain resilience.
Cost efficiency
- By leveraging a crowdsourced model, Bugcrowd enables institutions to meet stringent testing requirements without incurring the full cost of expanding internal teams.
The long-term benefits of continuous testing
While continuous testing requires significant upfront investment, it offers substantial long-term benefits:
- Enhanced resilience: Proactively identifying vulnerabilities reduces the likelihood of disruptions and incidents.
- Regulatory compliance: Demonstrates commitment to DORA compliance, reducing regulatory risk.
- Customer trust: Maintaining operational resilience strengthens trust among customers and stakeholders, particularly in high-risk sectors like payments and financial markets.
Continuous testing isn’t just a DORA mandate—it’s a survival strategy. In a world of constantly evolving threats, financial institutions need to adopt a proactive, ongoing approach to resilience to stay ahead of adversaries.
Book at meeting with one of our security experts today for an overview of how Bugcrowd can help your organization meet DORA regulations in a manageable way.