Who does DORA Article 24 require to run pentests?

All EU financial entities (banks, insurers, investment firms, e-money institutions, crypto-asset service providers) plus their critical ICT third-party providers. Roughly 22,000 firms in scope since January 2025.

Does DORA require annual pentests or continuous testing?

DORA Article 24 requires advanced threat-led testing on critical systems with continuous evidence of operational resilience. Annual snapshots no longer satisfy the regulation. Quarterly or continuous cadence with signed audit trail is the new bar.

Can Fleuret produce a DORA-compliant pentest report?

Yes. Every Fleuret engagement ships an audit PDF mapped to DORA Article 24 by default, with Ed25519-signed findings, scope coverage proof via the Coverage Graph, and remediation tracking. Auditor-ready, not auditor-adjacent.

What is the typical DORA pentest cost in 2026?

Traditional manual engagements cost €10,000 to €30,000 per pentest and take 2 to 4 weeks. Fleuret runs the same scope in 6 to 12 hours for a POC at €3,000 per webapp, with continuous tiers from €10,000 to €25,000 per year.

Does DORA accept US-headquartered pentest vendors?

Article 28 sub-processor review and the broader supply-chain resilience requirements make US-hosted vendors hard to onboard. The CLOUD Act creates a documented residual risk that most EU financial regulators expect to see mitigated, which usually disqualifies non-EU pentest tooling for critical systems.

DORA penetration testing requirements: what financial entities must do in 2026

DORA in one paragraph

The Digital Operational Resilience Act (DORA) entered into force on 17 January 2025. It binds every EU financial entity (banks, insurers, asset managers, payment institutions, crypto-asset providers) and a wide swath of their critical ICT third-party providers. Penetration testing is no longer a best-effort line in the security policy. It is a regulatory obligation with named scopes, named cadences, and named evidence.

What the regulation actually requires

Two layers, often confused.

Layer 1: regular pentests on ICT systems supporting critical or important functions. Article 24 of DORA requires a documented testing program proportionate to size, risk profile, and complexity. In practice national supervisors (ACPR in France, BaFin in Germany, CNMV in Spain) read this as "at minimum annual, with continuous coverage of changes." Not optional. Not "next year."

Layer 2: Threat-Led Penetration Testing (TLPT) every three years for significant entities. Modeled on TIBER-EU. Mandatory for systemically important institutions. Red-team scope, intelligence-driven, multi-week, expensive. This is the headline rule, but Layer 1 is the one most CISOs underestimate.

If your organisation falls under DORA but not TLPT, you still owe regular, evidence-bearing pentests on every critical web app, API, and external surface.

Evidence the supervisor expects

A PDF report is no longer enough. EU supervisors expect:

Scope traceability. Which assets were tested, which were excluded, and why.
Reproducible findings. Every vulnerability ships with a proof of concept the auditor can verify.
Severity mapping. CVSS plus business-impact rating against the institution's risk register.
Remediation timeline. Tickets, owners, target close dates, retest evidence.
Independence. The tester must be operationally independent from the team that built the system.

Most boutique pentest firms produce items 1, 3, and 4. Items 2 and 5 are where automated pentest helps: every PoC is reproducible by design, and the test agent is structurally independent.

Suppliers are in scope too

The piece most product teams miss. If you sell SaaS to a French bank, you are an "ICT third-party provider" under DORA. The bank's auditor will ask for your pentest evidence. "Trust us, we have a SOC 2" is not enough.

This is why we see software vendors requesting pentests every quarter: their financial customers are pushing the obligation downstream. The cost structure of traditional pentest does not survive that cadence.

What changes in 2026

Three things tighten this year.

TLPT framework finalised. ESMA, EBA, and EIOPA published Joint RTS in late 2025. National authorities are operationalising scoping and red-team accreditation in 2026.
Subcontractor register. Financial entities must maintain a register of ICT third parties with named pentest evidence. Empty fields equal an audit finding.
Continuous testing as the new floor. Supervisors increasingly read "regular" as "continuous for high-criticality systems." Annual is now a ceiling, not a minimum.

How Fleuret fits

Fleuret runs autonomous AI pentests on web apps, REST and GraphQL APIs, and external infrastructure. Six hours from request to report. Every finding includes a reproducible PoC. Reports are mapped to DORA control families and signed for offline auditor verification with Ed25519, not vendor-controlled trust.

At €3,000 per webapp for a one-time POC, against a market norm of €10,000 to €30,000, the cost structure of compliance changes. Continuous tiers starting at €10,000 per year make ongoing cadence affordable. Annual stops being a budget exercise.

If your organisation is in DORA scope and your current pentest cadence cannot keep up, let's talk.

Continuous AI pentesting and NIS2: the sister regulation and why annual no longer satisfies regulators.
Sovereign EU AI pentest: why DORA Article 28 disqualifies US-hosted pentest vendors.
The compliance workflow moat: Jira, audit PDF, board export, weekly re-test.
Pentest cost in Europe 2026: what continuous DORA pentesting actually costs.

DORA penetration testing requirements: what financial entities must do in 2026

DORA in one paragraph

What the regulation actually requires

Evidence the supervisor expects

Suppliers are in scope too

What changes in 2026

How Fleuret fits

The Fleuret newsletter

Privacy Settings

DORA in one paragraph

What the regulation actually requires

Evidence the supervisor expects

Suppliers are in scope too

What changes in 2026

How Fleuret fits

Related reading

The Fleuret newsletter

Privacy Settings