The independent reference for designated EU financial entities preparing for their first TLPT cycle. What the regulation requires, what the phases involve, and what good preparation looks like. Anchored to the primary sources.
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, replaced a patchwork of national rules and sector-specific guidance with a uniform standard for how regulated EU financial entities prepare for, withstand, respond to, and recover from ICT disruptions. It applies directly across all 27 Member States with no national transposition.
DORA covers 21 categories of financial entities, from credit institutions and payment institutions to crypto-asset service providers, insurers, fund managers, and audit firms. It also reaches their ICT third-party providers. It is built on five pillars. The third pillar, Digital Operational Resilience Testing, is where Threat-Led Penetration Testing lives.
DORA is structured across five substantive chapters. Each carries its own obligations and its own Regulatory Technical Standards. TLPT sits inside Pillar 3.
ICT risk management framework covering board-level accountability, asset classification, detection, response, and post-incident learning.
Mandatory detection, classification and reporting of ICT-related incidents, including major incidents and significant cyber threats, to the competent authority.
A two-tier testing regime: basic testing for all in-scope entities, and Threat-Led Penetration Testing (Article 26) for designated higher-risk entities.
Third-party risk framework covering due diligence, contractual rights, exit strategies, ongoing monitoring, and the ESA Oversight Framework for Critical Third-Party Providers.
A permissive framework for financial entities to share cyber threat intelligence with each other in compliance with competition and data protection law.
Real threat intelligence drives the scenarios. Testing runs on live production systems for at least 12 weeks. The Blue Team does not know it is happening. Once it ends, mandatory purple teaming converts the test into measurable defensive uplift, and the competent authority issues a formal attestation.
Read Article 26 and 27 in fullDORA Article 26 requires designated EU financial entities to conduct a Threat-Led Penetration Test (a structured adversary simulation using real threat intelligence against live production systems) at least every three years. The first cycle must be completed by 17 January 2028.
Findings are summarised to the competent authority; a formal attestation enables mutual recognition across EU jurisdictions. Non-compliance is subject to administrative penalties set by Member State law, with turnover-based ceilings ranging from 5% (Spain) to 10% (Sweden).
Need the operational detail behind this summary? Read the Article 26 breakdown →
From the moment your competent authority issues the notification letter, you are on a regulated clock. Open any phase for the detail and operational artefacts.
The SSD is the most operationally consequential artefact in a DORA TLPT engagement. What the RTS requires, where NCAs push back, and why drafts must start at T+3, not T+5.
A limited number of TIBER and DORA-accredited red team and threat intelligence providers face concentrated demand into 2027. What designated entities should do about it now.
A programme manager's view of the regulatory clock. What to do in the 3 months between notification and your initiation documents, and the 6 months to your SSD.
Swipe sideways for more →