Before you read on: In this article, you will not find out whether and, if so, to what extent you are affected by the DORA regulation and what you need to do to be able to tick all the compliance boxes. Here, we are dealing with the question of how you, as a controller, can use the DORA regulation for your company in the financial sector in order to gain real competitive advantages nationally and internationally, in addition to greater security against hacking attacks.
To answer this question, we look at the legal framework of the DORA directive and, based on our many years of experience as a trusted hacking advisor, provide recommendations on how to implement these requirements not only correctly, but to your advantage. We take a closer look at the role of external service providers in the financial industry when it comes to security and address the often overlooked topic of industrial espionage.
Please read on if you want to turn the legally required measures of the DORA regulation from an annoying necessity into a real asset for the stability and growth of your company!
The DORA Regulation (“Digital Operational Resilience Act”) is an EU regulation that came into force on January 15, 2025. Its aim is to strengthen the digital resilience of financial institutions and insurance companies in order to effectively deal with cyberattacks and IT failures. It affects companies along the entire value chain of the financial industry, including third-party providers. In addition to clear technical requirements such as penetration tests, it also focuses on organizational and strategic resilience:
An important part of the DORA requirements is the involvement of third parties such as externally managed Security Operations Centers (SOC) in security audits. Why is this crucial? Quite simply: you need to ensure that the services you are already paying for actually deliver what they promise. Our focus is on developing constructive solutions and not on exposing other service providers - it's about strengthening trust and optimizing security holistically.
If we know, for example, that a SOC is in place to detect cyber attacks at an early stage, our penetration testers initially proceed very cautiously with their simulated attacks. If these are not detected, they gradually carry out increasingly "louder" attacks and often find that these are not reliably detected either.
We have had similar experiences with surveillance cameras on company buildings: just because they are installed and running does not mean that the recordings are actually monitored and an alarm is triggered if unauthorized persons find a way into the building (for example, thanks to the door wedge on the back door for smoking breaks, which is notorious in our circles).
Our experience shows that everyone involved benefits from a well-prepared and well-followed penetration test. We bring third-party providers on board early on in our projects and support you in optimizing your collaboration through knowledge transfer and solution-oriented communication.
DORA writes regular penetration testing to identify security gaps and minimize risks. But for some companies, the Threat-Led Penetration Testing (TLPT) in the game.
Does your company really need TLPT – or is a classic, practical penetration test the better choice?
In our white paper you will learn:
Read now how to make the right decision:
Behind the scenes, it is clear that in practice, audits by regulatory authorities or associations often remain too superficial. A key reason is the lack of technical know-how, which means that requirements such as vulnerability scans are wrongly classified as penetration tests.
There are still significant gaps in interpretation when it comes to key terms such as “early reporting” or “holistic monitoring”. Experts estimate that it will take at least two years for these ambiguities to be fully clarified.
Especially the area Threat-Led Penetration Testing (TLPT) represents a specific challenge, as its relevance depends heavily on the size and complexity of the respective financial institution. Smaller banks in particular are faced with the question of whether the additional effort is justified compared to a classic penetration test or whether regulatory requirements entail an obligation.
Our recommendation: Don’t wait, act
Regardless of the existing ambiguities, we advise companies to take action early. The reason: cyber threats are evolving rapidly, and waiting for full clarification from regulators carries the risk of avoidable security gaps. The DORA regulation is ultimately only a formal response to very real threats.
A well-conducted penetration test – whether classic or TLPT – not only strengthens the security posture of your company, but also provides a solid basis for meeting future regulatory requirements without time pressure. As Trusted Hacking Advisors, we ensure that your tests are practical, future-proof and immediately implementable.
The increasing frequency and complexity of cyberattacks shows how urgently regulatory measures such as DORA are needed:
These figures make it clear that the financial sector remains a prime target for cybercriminals. The sensitive data and the industry's central role in the global economy make comprehensive security measures essential.
Industrial espionage and economic crime are no longer marginal phenomena. The financial sector in particular is a preferred target for cyber criminals who are after sensitive data, payment information and strategic information. This is exactly where DORA comes in: It creates a framework that enables companies to protect their IT systems not just reactively, but proactively.
A real-life example: A leading financial institution fell victim to a targeted spear phishing attack in which access data was stolen and strategically sensitive information was extracted. The analysis revealed that basic security measures such as penetration testing and employee training were lacking. In this case, DORA would not only have created the legal requirements, but also provided concrete measures for prevention.
If we have done our job right, you will hopefully now be less worried and more motivated about the tasks and opportunities that DORA brings for your company.
It is clear that an article cannot answer all open questions. The circumstances in every company are too individual for that. Personal, free and non-binding advice is of course a given for us at the beginning of every inquiry from responsible persons like you. Simply briefly describe your requirements and questions in the contact form or call us directly - we will find the right contact person internally and arrange a suitable appointment for a needs analysis!
The DORA Regulation (“Digital Operational Resilience Act”) is an EU regulation that came into force on January 15, 2025. Its aim is to strengthen the digital resilience of financial institutions and insurance companies in order to effectively deal with cyberattacks and IT failures.
All companies in the financial sector as well as critical third-party providers such as IT service providers and cloud providers.
The regulation prescribes, among other things, the following measures:
The regulation offers companies the opportunity to approach IT security strategically instead of just reacting to attacks. It not only protects individual organizations, but also increases the stability of the entire financial system.
ProSec offers practical solutions such as penetration testing, threat-led penetration testing (TLPT), awareness training and audit-ready documentation to effectively and sustainably meet the requirements of the DORA regulation.
The OpenAI data breach highlights the risk of security vulnerabilities at third-party providers. The company was affected by a smishing campaign targeting its web analytics service provider, Mixpanel. Attackers gained access to sensitive data.
The FBI reports that account takeover (ATO) fraud has caused over $262 million in losses this year. Cybercriminals are using social engineering to access corporate data and are gaining the upper hand with AI-powered infrastructure. Companies must rethink their security strategies and take preventative action.
The advanced persistent threat (APT) "ToddyCat" targets business-critical emails, thereby exposing companies to economic espionage. Cybersecurity analysts at Kaspersky warn of this serious threat and explain how companies can effectively counter these attacks. Protecting trade secrets and other important information is paramount.
