Financial sector should do penetration tests as per EU regulation DORA

In 2022, the weekly number of cyberattacks in the financial industry averaged 1,131 attacks – which represents a 52% increase from 2021, according to Check Point Research figures.

More than two-thirds of large institutions were affected by at least one cyberattack, not including successfully prevented attacks and unreported cases. The EU regulation “Digital operational resilience for the financial sector and amending regulations” (EU Regulation 2022/2254 – DORA for short) gives the entire finance industry a uniform legal standard to mitigate vulnerability to ICT disruptions and cyber threats along the entire value chain.

A crucial feature of the EU Regulation 2022/2254 – DORA for short is regular testing. At least once a year, systems must undergo testing for different threat scenarios. Shifting responsibility to third parties – ICT service providers, in other words – is viewed critically.

BaFin states that the focus on multi-client service providers – i.e., firms acting for several companies – implies risks for the overall market. Banks should therefore urgently try to carry out measures such as the required penetration test independently to identify risks.

Autonomous penetration testing for the financial industry

With NodeZero, the company has developed a technology that performs real attack scenarios on the entire IT infrastructure via autonomous penetration tests.‘s technology operates via a cloud platform that complies with data protection regulations and is hosted in Germany for Europe. It can be run independently of an external service provider or a professional pentester at any time and as often as desired during ongoing daily business.

This not only uncovers vulnerabilities, but also checks the effectiveness of existing protection mechanisms (hardware and software). The user guidance is geared to the needs of IT departments and gives IT teams, CIOs, CISOs and admins, a detailed analysis of attack paths with evidence of exploitation and prioritized corrective actions. To conclude the proven “find, fix and verify” approach, a 1-click verification can be used to test the correction made.

Based on test findings, preventive measures can be specified for each individual institution. These start with the recognition of threats and extend to the regulation of backup measures.

Time is running out

For banks that have implemented the regulatory requirements in advance, there is no reason to panic. But this is different for institutions that have paid little attention to the topic so far.

It is to be expected that a massive wave of inquiries will come to service providers in the coming months. And what already means enormous lead times for professional services will become even worse and will be almost impossible to implement in compliance with the law.

This is another reason for implementing a penetration test concept within the bank., which specializes in autonomous penetration tests with a cloud solution, is already seeing a significant increase in requests from the financial sector. The pressure of suffering is high, financially and in terms of capacity. With, smaller institutions also have the option of performing threat-oriented penetration tests (TLPT) themselves.

Rainer M. Richter is an IT expert and Vice President EMEA & APAC at

Rainer M. Richter, IT expert and Vice President EMEA & APAC at