The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for managing ICT risk in the financial sector. DORA aims to ensure that all financial entities can withstand, respond to and recover from all types of ICT-related disruptions and threats.[1] The regulation harmonizes digital resilience requirements across the EU, eliminating fragmentation and raising the bar for cyber and operational preparedness.
On June 18, 2025, the new Commission Delegated Regulation (EU) 2025/1190 was published in the Official Journal, supplementing Article 26 of DORA and setting Regulatory Technical Standards (RTS) for Threat-Led Penetration Testing (TLPT)[2]. Twenty days later, on July 8, 2025, these standards became directly applicable across all EU Member States. This marks a turning point in how financial entities are expected to validate their cybersecurity preparedness.
What are RTS and TLPT Under Dora?
As part of its implementation, DORA is supported by Regulatory Technical Standards (RTS), which provide detailed guidance on how to comply with the regulation’s requirements. One of the most significant RTS is Threat-Led Penetration Testing (TLPT). It represents a major shift from traditional security assessments. Instead of routine penetration testing, it uses a dynamic, intelligence-driven simulation where testers replicate the tactics, techniques, and procedures (TTPs) of advanced cyber adversaries. This method recognizes that attackers are constantly adapting to exploit emerging vulnerabilities. By incorporating the latest threat intelligence, TLPT scenarios reflect current attack patterns, moving beyond static models to provide a more realistic and resilient defense test.[3]
This simulation enables financial entities and critical ICT providers to better understand how their systems would withstand real-world threats. It ensures that security teams are not only testing individual components but also validating the entire operational resilience of the organization.
Drawing from frameworks such as TIBER-EU[4] the TLPT model emphasizes realistic attack simulation, Red Teaming, and threat intelligence to replicate adversaries’ behavior as closely as possible. This approach moves cybersecurity testing from being a box-checking exercise to a true test of organizational defense under fire.[5]
Entities subject to DORA, ranging from major banks and insurers to crypto service providers and ICT vendors supporting critical services, are now required to perform TLPT at least once every three years, unless otherwise specified by their national competent authority. [6]
Key Stakeholders and Their Roles in TLPT Execution
The TLPT involves several key stakeholders with distinct roles. The TLPT Cyber Team is the regulator’s internal group responsible for overseeing the test, requiring at least two test managers.
Within the financial entity, the Control Team manages the entire testing process, coordinates with the regulator, handles external providers, and maintains strict confidentiality by operating with a limited number of members.
The entity’s defensive security unit, known as the Blue Team, remains unaware of the test until the active phase concludes to ensure realistic conditions. An external Threat Intelligence (TI) Provider develops realistic attack scenarios based on current cyber threats. These scenarios serve as the blueprint for the Red Team, which conducts the simulated attacks and may include internal or external testers. However, frameworks differ on the use of internal testers; DORA permits it under strict conditions, while TIBER-EU currently prohibits it, a divergence expected to be resolved soon.[1]
|
Team/Role |
Responsibility |
|
Threat Intelligence (TI) Provider |
Designs realistic attack scenarios based on current cyber threats and adversary TTPs. |
|
Red Team |
Executes the simulated attacks according to the scenarios developed by the TI Provider. |
|
Blue Team |
Defends the organization’s systems without prior knowledge of the test; focuses on detection, response, and mitigation. |
Together, these teams ensure that TLPTs are conducted thoroughly, securely, and effectively.
Key Phases of a TLPT Under DORA
The TLPT lifecycle under DORA consists of several clearly defined phases.
- Preparation Phase
The TLPT lifecycle begins with the preparation phase, where a control team is formed to coordinate the exercise, define the scope and systems to be tested, set communication protocols and ensure all elements are approved by the competent TLPT authority.
- Testing Phase
After preparation, the testing phase begins with two parts: threat intelligence development and Red Team operations. The TI Provider creates realistic scenarios targeting critical functions, from which three are selected and approved by the TLPT authority. These guides covert Red Team attacks on live systems over at least 12 weeks.
- Closure Phase
The closure phase begins after testing, with the Red Team reporting attacks, vulnerabilities, and breaches. The Blue Team reviews this report, assessing detection and response. Then, a purple teaming exercise follows, where both teams analyze results and develop joint remediation strategies.
The control team then submits a final report and remediation plan, detailing fixes, responsible staff, and risk analysis for any unresolved vulnerabilities. Upon approval, the competent authority issues a TLPT certificate that confirms compliance and ensures mutual recognition across EU jurisdictions.[8]
Who is Required to Perform TLPTs?
Not every financial entity is automatically required to carry out TLPTs under DORA. Instead, the regulation targets institutions that play a significant role in the financial system. The starting point for identifying these entities is Article 2 of the draft Regulatory Technical Standards (RTS) issued by the European Supervisory Authorities (ESAs). Some of the institutions required to conduct regular TLPTs include:
- Systemically Important Institutions – First on the list are credit institutions classified as systemically important. These include both Global Systemically Important Institutions (G-SIIs) and Other Systemically Important Institutions (O-SIIs), as well as those that are part of a G-SII or O-SII group. Their impact on financial stability justifies heightened testing requirements.
- Payment and Electronic Money Institutions – Payment institutions and electronic money institutions also fall within the scope, provided their operations exceed certain thresholds. Specifically, any institution that has processed more than EUR 120 billion in total payment transactions in each of the previous two financial years is included. Electronic money institutions may also qualify based on a lower threshold of EUR 40 billion in outstanding e-money.
- Financial Market Infrastructures – Central securities depositories and central counterparties are included due to their foundational role in post-trade services. Trading venues with electronic systems must also carry out TLPTs if they meet specific criteria—either by holding the largest national market share in financial instruments or exceeding a 5% market share at the EU level over the last two years. For trading venues within the same corporate group, aggregated EU turnover is taken into account.
- Insurance and Reinsurance Undertakings – Insurance and reinsurance companies are subject to TLPT obligations if they meet a series of cumulative conditions. They must have exceeded EUR 500 million in Gross Written Premiums (GWP) for the past two years and fall within the top 10% of premium distribution in their Member State. Their inclusion is further contingent on holding total assets equal to or greater than 10% of the national total for their line of business, as defined under Solvency II rules.
- Additional Designations by Authorities – National competent authorities have the discretion to require other financial entities, beyond those explicitly listed, to undergo TLPTs. These decisions are based on risk factors, market impact, and operational dependencies, as outlined in Article 2(3) of the ESA’s draft RTS.
Why TLPT is Here to Stay
TLPT under DORA marks a significant shift in how cyber resilience is measured in the European financial ecosystem. It challenges organizations not only to meet technical controls but also to demonstrate operational effectiveness under attack conditions.
While the process demands significant investment, coordination, and cultural change, the benefits are substantial: enhanced preparedness against sophisticated cyber threats, stronger governance, and greater trust from regulators, customers, and markets alike. As cyber risks continue to escalate globally, TLPT positions financial entities not just to defend against attacks but to anticipate and adapt, ensuring the stability and integrity of the European financial system well into the future.
As TLPT becomes an operational reality, organizations must ensure not only technical readiness but also a thorough understanding of regulations. Our DORA training programs equip professionals with the knowledge to navigate this evolving landscape with confidence.
Sources:
[1] Digital Operational Resilience Act (DORA) – EIOPA
[2] Delegated regulation – EU – 2025/1190 – EN – EUR-Lex
[3] Threat-Led Penetration Testing: A proactive approach to cybersecurity | Deloitte Luxembourg | Future of Advice
[4] TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.
[5] DORA: Everything About Threat-Led Penetration Testing (TLPT)
[6] Ibid.
[7] DORA: Everything About Threat-Led Penetration Testing (TLPT)
[8]Ibid.
