DORA Threat-Led Penetration Testing: TLPT Requirements

1. Applies to: Significant financial entities designated by competent authorities under DORA Article 26(1).

2. Frequency: At least every three years.
3. Methodology: TIBER-EU framework (ECB), aligned to the DORA TLPT RTS (Commission Delegated Regulation (EU) 2025/1190, applicable from 8 July 2025).
4. Scope requirement: Live production systems supporting critical or important functions. Staging environments do not qualify.
5. Provider requirements: Independent threat intelligence provider and a separate red team provider, both meeting DORA TLPT competency requirements.
6. Post-test obligations: Outcomes reported to competent authority; certificate of completion required.
7. Prior tests: Entities with prior TIBER-EU or equivalent tests may apply for recognition under Article 26(7) and the DORA TLPT RTS.

Standard penetration testing covers vulnerability scanning, network testing, and application security assessments. It tests whether known vulnerabilities exist in defined systems. TLPT operates on a fundamentally different premise.

The Digital Operational Resilience Act establishes TLPT as a mandatory requirement for significant financial entities under Articles 25 to 27. The term 'significant' is defined by reference to criteria applied by competent authorities, with the DORA TLPT RTS setting out the specific thresholds. Not every financial entity in scope for DORA will be required to conduct TLPT, but for those that are, it is a mandatory obligation with a minimum three-year cycle.

The underlying rationale is that standard ICT resilience testing does not adequately replicate the threat environment facing systemically important financial institutions. TLPT addresses this by commissioning actual threat intelligence about the institution's specific threat profile, then using that intelligence to design and execute a red team attack. The result is a test of detection and response capability against credible, targeted attacks, measured against the institution's actual threat profile rather than a catalogue of known vulnerabilities.

DORA's TLPT requirements are explicitly aligned to the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) framework, developed by the European Central Bank. All TLPT conducted under DORA must follow TIBER-EU methodology or a recognised equivalent, and the DORA TLPT RTS sets out the specific requirements that bring TIBER-EU compliance within the DORA framework.

Understanding TIBER-EU is essential for any institution approaching DORA TLPT compliance. The framework operates across three phases.

Phase 1: Preparation (approximately two months)

The preparation phase establishes the governance structure for the test. A TLPT Cyber Team (TCT) is formed, including representatives from the CISO function, technology risk, and compliance. The TCT is responsible for scoping the test, selecting and contracting providers, managing the test process, and liaising with the competent authority throughout.

Critically, the scope must include live production systems. DORA Article 26(2) explicitly prohibits substituting test environments or staging systems for live production infrastructure. Any function designated as critical or important must be tested in its live state.

Competent authority involvement begins at this stage. Most TIBER-EU implementations require notification to and coordination with the relevant supervisory authority ahead of the test, and the competent authority may review and approve the scope before testing commences.

Phase 2: Testing (approximately three months)

The testing phase runs two concurrent workstreams. An independent threat intelligence provider develops a Targeted Threat Intelligence (TTI) report: a detailed analysis of the real adversary threats facing the institution, the tactics those adversaries use, and the specific functions most likely to be targeted.

Separately, the red team uses the TTI report to design and execute a simulated attack against the institution's live production systems. The attack is covert: the institution's defensive (blue team) functions are not informed, so the test measures genuine detection and response capability rather than rehearsed responses.

The separation of the threat intelligence provider and the red team provider is a TIBER-EU governance requirement, designed to prevent conflicts of interest and maintain the integrity of the intelligence underpinning the test. Both providers must meet the competency and independence requirements set out in the DORA TLPT RTS.

Phase 3: Closure (approximately one month)

The closure phase involves a structured debrief between the red team and the blue team, a 'purple team' exercise in which the red team reveals its attack paths, tools, and techniques. The blue team can then assess which elements of the attack were detected, which were missed, and what control gaps the exercise has exposed. A prioritised remediation plan is produced.

The completion of TLPT must be certified by the competent authority. DORA Article 26(7) requires the entity to notify the relevant authority of TLPT completion and provide documentation of the test outcomes and remediation plan. The competent authority issues a certificate of completion, which the institution must retain as regulatory evidence.

DORA Article 26(1) establishes that financial entities are subject to TLPT based on their maturity, size, and overall risk profile. The competent authority makes the designation; the entity does not self-select. The DORA TLPT RTS sets out the criteria competent authorities apply.

Key factors in the designation determination include: whether the entity has been identified as systemically important; the scale and criticality of its ICT infrastructure; its ICT risk profile, including exposure to threat actors and sensitivity of the data it processes; and whether it has previously conducted TIBER-EU or equivalent tests.

Entities that have already conducted TIBER-EU or equivalent tests may apply to have those recognised as satisfying part of the DORA TLPT obligation. Article 26(7) and the DORA TLPT RTS set out the conditions that apply, including recency of the test, scope coverage, and competent authority approval. Institutions with prior tests should engage their competent authority early to determine whether recognition is available before commissioning a fresh TLPT exercise.

Entities that do not meet the threshold for mandatory TLPT may still be required by their competent authority to conduct TLPT in specific circumstances, and may voluntarily elect to do so as part of a mature resilience testing programme.

One of the most complex operational challenges in DORA TLPT is the involvement of ICT third-party providers. Where a critical or important function depends on an ICT third-party provider, that provider's systems and infrastructure may fall within the TLPT scope.

DORA Article 26(3) addresses this directly: where a red team exercise targets a function that relies on ICT third-party providers, those providers may be required to participate in the test. The financial entity is responsible for ensuring its third-party contracts include the access and cooperation rights needed to fulfil this obligation.

In practice, review ICT third-party contracts ahead of TLPT scoping to confirm resilience testing access rights are in place. Coordinate with critical ICT third-party providers during the preparation phase to agree test parameters, notification protocols, and any constraints on their participation. Cloud hyperscalers and major infrastructure providers may have their own TIBER-EU or equivalent test outcomes available; DORA permits use of consolidated testing outcomes where governance conditions are met.

The contractual provision requiring ICT third-party cooperation in resilience testing is Article 30(3)(d). Institutions that have not yet reviewed their contracts against this requirement should do so well in advance of TLPT scoping, as renegotiating access rights with major providers can take time.

Step 1: Determine whether TLPT is required

Engage with your competent authority to confirm whether your institution has been designated as required to conduct TLPT under DORA Article 26. If you have previously conducted TIBER-EU or equivalent testing, assess whether recognition under Article 26(7) is available. SureCloud's DORA compliance checklist covers all mandatory DORA obligations and can help your team assess overall readiness alongside the TLPT requirement.

Step 2: Establish the TLPT Cyber Team

Form the internal governance team for the test. The TCT includes the CISO, Head of Technology Risk, and a senior representative from compliance or legal. The TCT owns the test from scoping through to regulatory closure and is the primary interface with the competent authority and external providers.

Step 3: Select providers

Select a threat intelligence provider and a red team provider separately. TIBER-EU governance requires they are independent of each other. Both must meet the competency requirements set out in the DORA TLPT RTS; verify credentials and prior TIBER-EU experience before contracting. Allow eight to twelve weeks for procurement, due diligence, and contracting.

Step 4: Scope the test

Define which critical or important functions are in scope, confirm production system access arrangements, and notify any required ICT third-party providers. Scope documentation must be agreed with the competent authority before testing begins in most jurisdictions. Inadequate scoping is the most common reason for TLPT delays at this stage.

Step 5: Execute the test

The threat intelligence provider develops the TTI report concurrently with early red team reconnaissance. The red team then executes against the live production systems, with the blue team unaware. The testing phase runs for around three months, though this varies with scope complexity.

Step 6: Purple team debrief and remediation planning

Conduct the structured red team and blue team debrief. Produce a prioritised remediation plan and begin remediation of critical findings immediately. Remediation findings from TLPT should feed directly into your operational resilience programme, updating control effectiveness ratings, resilience test records, and the ICT risk register accordingly.

Step 7: Regulatory closure

Submit TLPT completion notification to the competent authority and obtain the DORA-required certificate of completion. Where the test was conducted under TIBER-EU, notify the relevant national competent authority under that framework simultaneously. Retain all test documentation, remediation records, and correspondence as evidence for regulatory examination.

TLPT is one of the most resource-intensive compliance obligations under DORA. Realistic planning parameters for a first DORA TLPT are set out below.

DORA Article 26(6) establishes a series of post-TLPT obligations. The financial entity must produce and submit a final TLPT report documenting the test methodology, findings, and remediation actions to the competent authority; demonstrate that remediation of identified vulnerabilities has been initiated and in most cases substantially completed within a defined timeframe; and retain documentation of TLPT outcomes and competent authority correspondence for regulatory examination.

Regulators assess not just whether TLPT was conducted, but whether findings were acted on. What supervisors scrutinise is whether the institution took the results seriously: whether remediation plans are detailed and tracked, whether critical findings were escalated to the management body, and whether the TLPT cycle is integrated into the institution's ongoing resilience programme rather than treated as a standalone compliance exercise.

ESA supervisory guidance makes clear that institutions are expected to demonstrate active engagement with TLPT findings at board level. A TLPT report that identifies significant control weaknesses without a corresponding management body response is itself a supervisory concern.