Comply with the Digital Operational Resilience Act with Heyhack

DORA (EU) Penetration Test Requirements

The Digital Operational Resilience Act defines critical requirements for services provided to financial institutions in the European Union.

What is DORA (EU)?

Ratified by the European Parliament on November 10, 2022, the Digital Operational Resilience Act (DORA) represents a new era in the EU's financial services regulation. As a cornerstone of the EU's digital finance transformation, DORA offers an extensive framework to manage Information and Communication Technology (ICT) risks across various financial sectors, from banking and insurance to securities.
DORA's prime focus is fostering resilience among regulated financial entities against potential ICT disruptions. By establishing robust guidelines for ICT risk management, DORA mandates financial institutions to undertake periodic risk evaluations and deploy effective risk reduction strategies. This pro-active approach strengthens cybersecurity and enhances the digital resilience of these organizations.
Moreover, DORA underscores the importance of timely incident reporting and resilience testing, enabling early identification and swift response to potential ICT threats. The regulation also addresses the rising dependence on third-party ICT services within the financial sector. DORA ensures stringent oversight of these critical service providers, reflecting its commitment to maintain financial system stability amid growing ICT risks. With DORA in effect, the EU strides forward in its quest for operational resilience in the digital finance landscape.
Book a demo to learn more

What is required by DORA?

Chapter IV of the Digital Operational Resilience Act defines a set of general requirements for financial institutions in the European Union with respect to the performance of digital operational resilience testing.
Article 25 states that testing program shall provide for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
Moreover, DORA defines some requirements for penetration testers that Heyhack fully lives up to and complies with. Penetration testing solutions that live up to the DORA requirements must:
  • be of the highest suitability and reputability;
  • possess technical and organisational capabilities in penetration testing;
  • adhere to formal codes of conduct or ethical frameworks;
  • provide independent assurance in relation to the sound management of risks associated with the carrying out of threat-led penetration testing;
  • be duly and fully covered by relevant professional indemnity insurances.
Speak with one of our DORA experts to learn more

Solve DORA requirements for penetration testing

Heyhack is fully compliant with the DORA requirements for penetration test solutions. Heyhack's customers include European financial institutions that have assessed Heyhack's solution specifically with DORA in mind and found that Heyhack lives up to all the requirements.
Concretely, Heyhack solves the five requirements for penetration testers in DORA by the following:
  • Heyhack has more than 20 years of experience in penetration testing and has worked with many large financial institutions on penetration test and vulnerability scanning assignments;
  • Heyhack is one of the globally leading solutions in automated penetration testing of web applications and has built one of the strongest and most comprehensive test engines to guarantee complete coverage and testing of every kind of web application;
  • Heyhack is a corporate member of the Open Worldwide Application Security Project (OWASP) and adheres to the OWASP Web Security Testing Guide, considered the best and most expansive methodology for penetration testing of web applications;
  • Heyhack is SOC 2 Type II certified by Prescient Assurance and works with Vanta to actively manage risks associated with penetration test services;
  • Heyhack is insured by Tryg Forsikring, the largest insurance company in Denmark, and maintains a liability insurance policy to cover any potential damage caused by Heyhack's automated penetration tests.
In our Trust Center, you can learn more about the specific controls we implement to ensure that we stay compliant with DORA requirements. You can also request a copy of our SOC 2 Type II report.
Visit Heyhack's Trust Center

Benefits of automated penetration testing for DORA compliance

Heyhack is uniquely positioned to help you comply with DORA requirements for penetration testing in a comprehensive, efficient, cost-effective manner.
DORA requires all applications to be tested

DORA requires that all applications and services in financial institutions must be assessed by penetration testing (at least once every 3 years per application). Heyhack solves this easily.

Automated testing is cost-effective

Many large financial institutions manage hundreds of applications, making manual penetration testing extremely daunting and very expensive. Heyhack  will automatically cover your entire portfolio.

One single place to store all documentation

Heyhack maintains records of all penetration tests conducted on your applications in one single place, making it easy to retrieve required documentation for audit purposes.

Integrating with leading security solutions

Heyhack natively integrates with leading security solutions in the domains of:
  • Security Information and Event Management (SIEM);
  • Security Orchestration, Automation, and Response (SOAR);
  • Extended Detection and Response (XDR);
  • Web Application Firewalls (WAF).
Heyhack is a registered partner with many of the leading providers in the industry and maintain technical integrations to automatically export results from penetration tests to SIEM, SOAR, and XDR solutions.
Moreover, Heyhack works with leading web application firewall providers to automatically remediate a range of the types of issues found in penetration tests by Heyhack. Integration with a WAF solution enables Heyhack to define precise rules to virtually patch found issues in the firewall layer.
Book a demo to learn more

Minimize your attack surface

Book a meeting with one of our security experts and learn how Heyhack can help you secure your web applications and services across your domains.
Put penetration testing on autopilot and immediately reduce your AppSec risk.
“Heyhack helps us gain a complete overview of the security of our application and patch vulnerabilities early.”
Søren Viuff
CPO of Openli