DORA and Vulnerability Management for Financial Services

What Is DORA?

The Digital Operational Resilience Act (DORA) is a European Union regulation that establishes a comprehensive framework for managing information and communications technology (ICT) risk in the financial sector. DORA entered into force in January 2023 and became fully applicable in January 2025, requiring financial entities, including banks, insurance companies, investment firms, payment institutions, and their critical ICT third-party service providers, to implement thorough ICT risk management practices, including vulnerability management.

DORA recognizes that the financial sector's increasing dependence on ICT systems creates operational risk that must be managed systematically. Cybersecurity incidents, system failures, and ICT vulnerabilities can disrupt financial services, affect consumers, and threaten financial stability. The regulation addresses these risks by requiring financial entities to identify, protect against, detect, respond to, and recover from ICT-related incidents and vulnerabilities.

For vulnerability management programs in financial services, DORA introduces specific requirements for vulnerability assessment, testing, and third-party risk management that go beyond general cybersecurity frameworks. Understanding these requirements is essential for financial entities operating in or serving the EU market.

DORA Vulnerability Management Requirements

ICT Risk Management Framework

DORA Article 6 requires financial entities to have a comprehensive ICT risk management framework that includes identifying and classifying ICT assets, assessing threats and vulnerabilities, implementing protection measures, and continuously monitoring for ICT-related risks. Vulnerability management is embedded within this broader framework: the identification and classification of vulnerabilities is part of the risk assessment process, and the remediation of vulnerabilities is part of the protection and mitigation activities.

The framework must be documented, reviewed at least annually, and updated in response to ICT incidents, audit findings, and changes in the threat landscape. Leadership is directly accountable: DORA requires the management body of each financial entity to approve and oversee the ICT risk management framework, including vulnerability management policies and practices.

Vulnerability Assessment and Testing

DORA Article 25 requires financial entities to establish and maintain a digital operational resilience testing program. This program must include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, and other tests appropriate to the entity's risk profile. The testing program must be risk-based, with testing frequency and scope proportional to the entity's size, business complexity, and risk profile.

For significant financial entities (determined by competent authorities based on systemic importance and risk profile), DORA requires threat-led penetration testing (TLPT) at least every three years. TLPT is advanced adversary simulation based on realistic threat intelligence, modeled on the TIBER-EU framework. TLPT goes beyond standard vulnerability scanning to test the entity's ability to detect and respond to sophisticated attacks that chain multiple vulnerabilities and techniques.

Third-Party ICT Risk

DORA places significant emphasis on managing ICT risk from third-party service providers. Financial entities must assess the security posture of their critical ICT providers, including vulnerability management practices. Contracts with critical ICT providers must include provisions for security testing, vulnerability remediation, and incident notification. Financial entities remain responsible for managing the ICT risk introduced by their third-party relationships, including vulnerabilities in outsourced systems and services.

This requirement extends vulnerability management beyond the organization's own infrastructure to the supply chain. Financial entities must have visibility into the vulnerability management practices of their critical providers and must ensure that vulnerabilities in provider-operated systems are identified and addressed in a timely manner.

Implementing DORA-Compliant Vulnerability Management

Financial entities implementing DORA-compliant vulnerability management should align their programs with the regulation's ICT risk management framework requirements. This means establishing documented policies for vulnerability identification, assessment, and remediation. Implementing regular scanning across all ICT assets, with credentialed assessments for depth and accuracy. Defining risk-based prioritization that accounts for the criticality of financial services and customer data. Setting SLAs proportional to risk, with accelerated timelines for vulnerabilities affecting critical financial systems.

Testing programs must go beyond automated scanning to include the vulnerability assessments, gap analyses, and network security assessments DORA specifies. For entities subject to TLPT requirements, engaging qualified providers for threat-led penetration testing on the required cadence adds a validation layer that demonstrates the effectiveness of vulnerability management and broader security controls.

Third-party risk management requires establishing vulnerability management expectations in provider contracts, conducting regular assessments of provider security posture, and maintaining the ability to assess vulnerabilities in provider-operated systems that support the entity's financial services. DORA's emphasis on third-party risk means that vulnerability management extends to the supply chain, not just internally managed infrastructure.

Reporting and governance must satisfy DORA's leadership accountability requirements. Regular reporting to the management body on vulnerability management performance, ICT risk posture, and testing results demonstrates the oversight that DORA requires. Documentation of policies, test results, remediation actions, and risk assessments provides the audit evidence that supervisory authorities may request during examinations.

DORA and Existing Frameworks

Financial entities already compliant with frameworks like ISO 27001, NIST CSF, or national financial sector guidelines have a foundation for DORA compliance. DORA's requirements overlap significantly with these frameworks but add financial-sector-specific elements: TLPT for significant entities, explicit third-party ICT risk management, and direct management body accountability. Organizations should conduct a gap analysis mapping their current vulnerability management practices against DORA's specific requirements to identify areas needing enhancement.

DORA harmonizes ICT risk management requirements across the EU financial sector, replacing the patchwork of national guidelines that previously applied. Financial entities operating across multiple EU member states benefit from a single regulatory framework rather than navigating different requirements in each jurisdiction. This harmonization also means that supervisory authorities across the EU will apply consistent expectations for vulnerability management practices during examinations.

Practical DORA Compliance Steps

Financial entities should begin DORA compliance preparation by conducting a gap analysis comparing their current vulnerability management practices against DORA's specific requirements. Key areas to assess include the comprehensiveness of ICT asset inventory, scanning coverage and frequency, the risk-based nature of prioritization methodology, remediation SLA compliance, third-party ICT risk management practices, testing program maturity, and management body oversight and reporting.

For entities subject to TLPT requirements, planning should begin well in advance of the required testing date. TLPT engagements are complex, requiring realistic threat intelligence development, coordination with the competent authority, skilled testing teams, and comprehensive reporting. The preparation and execution timeline typically spans several months, and findings from TLPT often require significant remediation effort.

DORA's emphasis on management body accountability means that vulnerability management reporting must reach board-level or equivalent leadership regularly. Reports should frame vulnerability management performance in terms of operational resilience risk: how exposed are the entity's critical financial services to exploitation of known vulnerabilities? This framing connects vulnerability management to DORA's core objective of ensuring that financial services remain operational despite ICT-related threats.

Financial entities should also establish processes for monitoring DORA regulatory developments. As competent authorities issue guidance, standards, and enforcement actions, vulnerability management requirements may be further clarified or strengthened. Staying current with regulatory developments ensures the program continues to meet evolving expectations and avoids compliance surprises during supervisory examinations.

Collaboration with industry peers through sector-specific information sharing organizations helps financial entities understand common vulnerability management challenges and solutions in the DORA context. The European Supervisory Authorities (ESAs) and national competent authorities may also provide implementation guidance specific to DORA's vulnerability testing and ICT risk management requirements.

DORA Testing Program Design

DORA's testing requirements are more specific than many other frameworks, requiring financial entities to design testing programs that include vulnerability assessments, network security assessments, gap analyses, source code reviews where applicable, and performance testing. For significant entities, threat-led penetration testing adds another layer. The testing program must be proportional to the entity's size and risk profile but must cover the ICT systems that support critical or important functions.

Designing the testing program starts with identifying which ICT systems support critical or important functions. These systems receive the most intensive testing, including more frequent vulnerability scanning, deeper configuration assessment, and inclusion in TLPT scope. Non-critical systems receive baseline testing proportional to their risk. This risk-based allocation of testing resources satisfies DORA's proportionality requirement while ensuring that the most important systems receive appropriate scrutiny.

Testing results must be documented and reported to the management body, and findings must be remediated according to the entity's risk management framework. DORA requires that testing is not merely an exercise that produces a report; it must drive actual security improvements through systematic remediation of identified weaknesses. Tracking remediation of testing findings through the same workflow used for vulnerability scan findings ensures consistency and accountability.

Financial entities should coordinate their DORA testing programs with other regulatory testing requirements they may face (ECB cyber resilience testing, national competent authority requirements). Where possible, a single testing program designed to meet the most stringent applicable requirements reduces duplication while satisfying all regulatory obligations.

DORA also addresses ICT incident management, requiring financial entities to classify, report, and learn from ICT-related incidents. Vulnerability management connects directly to incident management: many incidents originate from exploited vulnerabilities, and post-incident analysis should identify which vulnerability was exploited, why it was not remediated before exploitation, and what changes to the vulnerability management program could prevent similar incidents. This feedback loop between incident management and vulnerability management satisfies DORA's requirement for learning from incidents and continuously improving ICT risk management practices. Financial entities that integrate vulnerability management with incident response demonstrate the operational resilience maturity that DORA aims to achieve across the EU financial sector.