Skip to content

How DORA Changes the Rules for Penetration Testing in Investment Management

Published. 17 October 2025, ToraGuard Insights

The Digital Operational Resilience Act (DORA) is reshaping how financial institutions across Europe, and by extension U.K. investment managers operating cross-border, approach cybersecurity assurance.

At its core, DORA shifts penetration testing from a technical control to a strategic governance obligation.

 

For investment managers, this means penetration testing must now demonstrate not only technical robustness but also organisational resilience and regulatory accountability.

From Annual Test to Continuous Assurance

Historically, many firms treated penetration testing as an annual compliance task, a once-a-year health check to satisfy auditors or investors.

Under DORA, this approach is no longer sufficient.

 

DORA Article 26 introduces Threat-Led Penetration Testing (TLPT) requirements that must be:

 

  • Risk-based, reflecting real-world threat scenarios
  • Independent, conducted by qualified third parties
  • Comprehensive, covering critical functions and third-party dependencies

 

For investment managers, this means aligning testing frequency and depth with business-critical processes, not arbitrary calendars.

 

Learn how our Penetration Testing Services for U.K. Financial Firms support continuous assurance programmes.

Integrating Testing with Governance and Oversight

DORA expects Boards and senior management to maintain direct oversight of digital resilience programmes.

Penetration testing outcomes are now considered evidence of that oversight.

 

Effective firms will:

  • Embed test results into governance frameworks such as FCA SYSC 8 and PRA SS1/21
  • Ensure remediation priorities align with risk appetite statements and operational resilience metrics
  • Use reports to demonstrate informed decision-making to regulators and investors

For reference, the FCA’s Operational Resilience Policy highlights this accountability shift and serves as a useful external benchmark for U.K. firms aligning with DORA principles.

Expanding the Scope Beyond the Network

DORA broadens what “testing” means. It is no longer limited to perimeter or infrastructure assessments.

 

Investment managers should now include:

  • Cloud and SaaS platforms, including trading and data aggregation systems
  • Third-party service providers, especially outsourced IT and fund administration partners
  • Data flows and APIs, ensuring controls are validated end-to-end

The European Supervisory Authorities (ESAs) Guidelines on Threat-Led Penetration Testing

provide a helpful model for assessing scope and independence.

Testing Frequency: A Proportionate Approach

While DORA requires at least one TLPT every three years, regulators expect ongoing validation between major exercises.

 

A proportionate model for investment managers might include:

  • Quarterly vulnerability assessments to track control drift
  • Annual focused penetration tests on systems undergoing material change
  • Comprehensive TLPTs every three years, covering critical business services

This layered approach balances assurance cost with operational practicality.

 

For a deeper discussion on cadence and proportionality, see our related insight How Often Should Financial Firms Conduct Penetration Tests?

From Findings to Measured Improvement

DORA places emphasis on closing the loop, not just identifying vulnerabilities but also demonstrating measurable improvement.

 

Regulators and Boards will expect to see:

  • Documented remediation plans with ownership and timelines
  • Re-tests confirming that fixes are effective
  • Trend analysis showing reduced risk exposure over time

This shifts penetration testing from a report-driven exercise to a performance indicator of cyber maturity.

 

External benchmarks such as the Bank of England’s CBEST framework can provide useful context for measuring improvement against national standards.

Cross-Border Implications for U.K. Firms

Although the U.K. is outside the EU, many investment managers have regulated entities or clients within the bloc. As such, DORA has indirect but significant influence over U.K. operating models.

 

Firms aligning their testing regimes to DORA standards gain:

  • Regulatory equivalence for EU operations
  • Investor confidence in cross-jurisdiction resilience
  • Operational consistency across multiple regulatory frameworks including FCA, PRA and DORA

Discover how our Cyber GRC Services align governance, risk and compliance with emerging regulations such as DORA.

 

Practical Next Steps for Investment Managers

To prepare effectively:

 

1. Map critical functions and dependencies that fall under operational resilience

2. Integrate penetration testing into the broader resilience testing framework

3. Engage independent experts familiar with DORA-aligned TLPT methodology

4. Establish Board-level reporting linking test outcomes to risk appetite and business impact

 

These steps turn compliance into capability and transform testing from a cost to a value-adding assurance process.

 

In summary

DORA represents a decisive shift in how investment managers must view penetration testing. It is no longer a checkbox exercise but a strategic instrument of digital resilience.

 

By aligning testing with governance, regulatory and operational objectives, firms can move from reactive compliance to proactive confidence.

 

The firms that are likely to optimise the value from AI will be those that treat it as a strategic partner in their long-term security journey.

ToraGuard can assist with penetration testing in investment management and strategic governance consultancy to demonstrate resilience and regulatory accountability.

Get in touch