DORA in five pillars.
Regulation (EU) 2022/2554 became directly applicable on 17 January 2025. It applies across all 27 EU Member States, reaches 21 categories of financial entities, and is structured around five pillars. Threat-Led Penetration Testing lives inside Pillar 3.
Pick a pillar. Read the detail.
Each tab covers one pillar's substance: the chapter, the article range, and what the regulation actually requires. Pillar 3, marked with the DORA TLPT badge, contains Threat-Led Penetration Testing.
ICT Risk Management
Financial entities must maintain an ICT risk management framework covering governance, asset identification and classification, protection and prevention controls, detection capability, response and recovery, and post-incident learning. Article 5 places ultimate responsibility on the management body. Article 16 provides a lighter regime for some smaller entities (certain payment institutions, e-money institutions, smaller investment firms); relevant because the lighter regime is also a factor in TLPT designation.
ICT Incident Management & Reporting
Entities must classify, manage, and report ICT-related incidents. DORA distinguishes between ICT incidents and major ICT incidents (the latter trigger mandatory reporting to the competent authority) and introduces voluntary notification for significant cyber threats. Reporting follows a three-stage structure: initial notification, intermediate report, and final report. Standardised templates are set by Implementing Technical Standards developed by the ESAs.
Digital Operational Resilience Testing
DORA creates a two-tier resilience testing regime. Article 25 (basic testing) applies to all in-scope entities and includes vulnerability assessments, scenario-based tests, gap analyses, and standard penetration tests. Article 26 (TLPT) applies only to a designated subset of entities identified by the competent authority based on systemic importance and ICT risk profile, and must be performed on live production systems against critical or important functions, using real threat intelligence and certified testers (Article 27). This pillar is the substantive subject of this site.
Threat-Led Penetration Testing is the most demanding obligation under Pillar 3. It applies to designated entities only, must be performed on live production systems, and is governed by Commission Delegated Regulation (EU) 2025/1190.
Read the Article 26 deep-diveManaging ICT Third-Party Risk
Entities must implement a third-party risk management framework covering pre-contractual due diligence, mandatory contractual provisions for ICT services supporting critical or important functions (Article 30), documented exit strategies, and continuous monitoring. The ESAs may designate certain ICT third-party providers as Critical Third-Party Providers (CTPPs) and subject them to direct EU-level oversight. The first list of 19 CTPPs, including major cloud hyperscalers, was published in November 2025.
Information Sharing Arrangements
Article 45 explicitly permits and encourages financial entities to enter into arrangements to share cyber threat intelligence (indicators of compromise; tactics, techniques and procedures; cybersecurity alerts) among themselves. Such arrangements must operate consistently with competition law and applicable data protection rules. This pillar enables but does not mandate sector intelligence sharing.
What every CISO should know.
- 1DORA applies directly across the EU. No national transposition. Compliance has been live since 17 January 2025.
- 2There is no general size threshold for being in scope. Small investment firms and global banks are both bound.
- 3Basic resilience testing applies to every entity. TLPT applies only to a designated subset, typically G-SIIs, O-SIIs, SSM significant institutions, and large payment / e-money firms. Check the designation factors →
- 4Major ICT incidents must be reported. ICT third-party contracts supporting critical functions must follow Article 30. The first 19 Critical Third-Party Providers were named in November 2025.
- 5Administrative penalties under Article 50 are set by Member State law, not by DORA itself. Turnover-based ceilings vary across the EU from 5% (Spain) to 10% (Sweden); absolute ceilings range from EUR 2m (Czech Republic) to EUR 20m (Italy).