Designation & Scope

Who needs to perform DORA TLPT?

Not every DORA-regulated entity has to perform a TLPT. The obligation under Article 26 applies only to a designated subset of entities identified by the competent authority based on systemic importance, financial-stability impact, and ICT risk profile.

Decision guide

Am I in scope? A working answer.

60-second check
Find out where your entity sits.

Four questions in plain language. Answered locally in your browser; nothing is sent or stored.

Am I in scope?

Where does your entity sit?

Indicative only. Designation is a decision of your competent authority, communicated by formal notification letter; the authority may designate entities below published thresholds based on ICT risk profile and systemic importance. This check is not legal advice.

Article 26(8)

The three designation factors.

Article 26(8) of DORA directs the competent authority to identify entities for TLPT based on three factors:

01

Impact

The extent to which the entity's services impact the financial sector.

02

Financial-stability concerns

Systemic character at Union or national level.

03

ICT risk profile

The entity's specific ICT risk profile, level of ICT maturity, and technology features.

Categories most likely to be designated

Based on regulatory guidance and supervisory signals to date, the following profiles should assume they are likely to be designated:

  • Global Systemically Important Institutions (G-SIIs). Effectively automatic designation.
  • Other Systemically Important Institutions (O-SIIs). Generally expected to be designated.
  • SSM Significant Institutions under ECB direct supervision. Must use external testers under Article 27.
  • Large payment institutions above the transaction-volume threshold set by the RTS. The exact figure is set in Commission Delegated Regulation (EU) 2025/1190. If your transaction volumes are anywhere near the threshold range, treat designation as likely and begin programme planning now.
  • Electronic money institutions above comparable transaction thresholds.
  • Other entities designated at NCA discretion based on risk profile.

Designation is not threshold-driven alone. Even if an entity does not meet a published threshold, the competent authority may still designate it based on ICT risk profile, operational dependencies, or systemic importance.

After designation

If you receive a notification letter

A formal notification from your competent authority starts the regulated clock. The RTS sets two early deadlines:

T + 3 months
Initiation documents

High-level project plan, Control Team Lead appointment, communication protocols.

T + 6 months
Scope Specification Document

CIFs in scope, underlying ICT systems, third-party services, and flag definitions. Flags are specific objectives the red team must reach, for example accessing the payment rail or exfiltrating customer data. Validated by the competent authority.

See the full seven-phase journey for what happens next.

Programme guide

A practical view of the first 90 days after a notification letter, written for programme managers: The next 90 days after your notification letter →

Article 27

Tester requirements.

Once designated, the entity must procure testers that satisfy Article 27. The key requirements:

  • a.Highest suitability and reputability.
  • b.Demonstrable capability in threat intelligence, penetration testing and red team testing.
  • c.Certification by an accreditation body in a Member State or adherence to formal codes of conduct verified by a national body. CREST accreditation is widely recognised.
  • d.Independent assurance, or an audit report, that risks associated with TLPT are soundly managed, including protection of confidential information.
  • e.Professional indemnity insurance covering misconduct and negligence. Non-negotiable.

The threat intelligence provider must always be external. The red team provider may be internal for up to two of every three cycles. SSM significant credit institutions must always use external red teams.

If you are an ICT third-party provider drawn into scope

Article 26(2) requires designated entities to identify the ICT systems supporting their critical or important functions, including those provided by third parties. Article 30 requires DORA-compliant contracts to include obligations for ICT third-party providers to cooperate in TLPT. If a designated financial entity informs you that your services are in scope of their test, what follows is operational:

  • ·The financial entity retains regulatory responsibility. You are a participant, not a co-tested entity.
  • ·You do not receive the full red team report. You may receive a summary relevant to the services tested.
  • ·For shared infrastructure (typically hyperscale cloud), Article 26(4) allows a pooled TLPT covering multiple participating entities. This avoids unrestricted access to shared environments.
  • ·Expect contact from the entity's Control Team. Engage Legal and your own risk function early.

If you are a Critical Third-Party Provider designated under DORA, the ESA Oversight Framework also applies and your obligations are broader than participation in a client's TLPT. The first list of 19 Critical Third-Party Providers was published by the ESAs in November 2025.

Sources