The EU's Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025, and by 2026 its penetration testing requirements are one of the most consequential compliance expenses for in-scope financial entities. DORA doesn't just require a pentest — it requires, for the largest and most systemically important firms, a full threat-led penetration test (TLPT) that mirrors how a real nation-state adversary would attack the organization's critical functions. The scope, rigor, and cost of these engagements are meaningfully different from the annual application pentests most firms have done historically.
This guide explains what DORA requires for penetration testing, who is in scope for TLPT specifically, how TLPT engagements are run, how DORA aligns with the pre-existing TIBER-EU framework, and how to prepare an organization that's about to go through its first TLPT cycle.
What DORA Requires for Penetration Testing
DORA establishes two tiers of testing obligations for in-scope financial entities. The first tier, covering all in-scope entities, is the regular testing of ICT tools and systems. Chapter IV of DORA requires firms to conduct vulnerability assessments, scans, network security assessments, source code reviews, and scenario-based penetration testing as part of a documented testing programme. Annual application and network pentesting remain the baseline expectation.
The second tier, covering only significant financial entities, is advanced testing by means of threat-led penetration testing (TLPT). TLPT is the headline obligation and the part of DORA that materially raises the bar above what most firms have done historically. Article 26 defines TLPT and Article 27 sets requirements for the testers. The methodology closely tracks the European Central Bank's TIBER-EU framework, which has been the de facto standard for intelligence-led red teaming in European finance since 2018.
Who Is in Scope for TLPT?
Not every DORA-regulated firm has to run a TLPT. The regulatory technical standards specify that TLPT applies to financial entities that are identified by the competent authority as significant from an ICT risk perspective based on criteria including size, business profile, and systemic importance. In practice this covers the largest credit institutions, investment firms, payment and e-money institutions, central securities depositories, central counterparties, trading venues, and specific crypto-asset service providers.
Smaller firms in scope for DORA still must run regular penetration testing under Article 24, but are not required to conduct TLPT. Firms that are uncertain whether they are in scope for TLPT should confirm with their competent authority rather than assume. For many medium-sized regulated firms, the conservative approach is to prepare as if TLPT will eventually apply, because the methodology and control maturity improvements are valuable regardless.
Critical third-party ICT service providers (including major cloud providers) face their own separate DORA obligations administered by the European Supervisory Authorities, including testing requirements that cascade into the TLPT scope of their financial entity customers.
TLPT Methodology: How It Actually Runs
A TLPT engagement is fundamentally different from a standard pentest. It simulates an advanced persistent threat actor attacking the live production environment of a financial entity's critical or important functions, using threat intelligence specific to the target sector and geography. Engagements typically run six to twelve months end-to-end.
Preparation phase. The entity's control team (a very small group, usually the CISO, head of cyber defence, and legal counsel) scopes the engagement, identifies the critical or important functions to target, and engages both a threat intelligence provider and a red team provider. The scope is formally agreed with the competent authority.
Testing phase. The threat intelligence provider produces a targeted threat intelligence report describing the threat actors most likely to target the entity, their tactics, techniques, and procedures (TTPs), and specific attack scenarios to exercise. The red team then conducts a live, covert attack against the production environment, using the TTPs identified in the threat intel report. The entity's defensive teams (the blue team) are not informed — part of what TLPT measures is the real-world detection and response capability.
Closure phase. Once the red team has achieved the agreed objectives (or the allotted time has elapsed), the engagement is disclosed to the defensive teams and a replay workshop (sometimes called purple teaming) walks through every step of the attack, which detections fired, and which didn't. Remediation plans are documented and formally reported to the competent authority.
Our overview of red team vs. penetration testing covers how intelligence-led red teaming differs from standard pentesting in general.
TLPT vs. TIBER-EU
DORA's TLPT regime is methodologically aligned with TIBER-EU, the European Central Bank's Threat Intelligence-Based Ethical Red Teaming framework, and the regulatory technical standards on TLPT explicitly reference TIBER-EU principles. Firms that have already run TIBER-EU engagements will find DORA's requirements largely familiar. The key differences are that TIBER-EU is voluntary and coordinated through national central banks, while DORA TLPT is mandatory for significant firms and enforced by competent authorities. DORA also introduces additional requirements around tester qualifications (Article 27), cross-border coordination, and documentation for the competent authority.
In practice, a well-run DORA TLPT engagement can be designed to simultaneously satisfy both TIBER-EU and DORA requirements, allowing the entity to avoid duplicate effort.
Tester Qualifications under DORA
Article 27 places strict requirements on who can perform TLPT. External testers must demonstrate the highest ethical and technical standards, be certified by an accreditation body in a Member State, carry appropriate professional indemnity insurance, and have demonstrated experience conducting TLPT or equivalent intelligence-led exercises. Threat intelligence providers face parallel qualification requirements.
Internal red teams can perform TLPT under limited circumstances, subject to independence requirements and explicit supervisory consent. The practical reality is that most in-scope firms use external providers that hold CREST STAR, CBEST, or equivalent credentials and have demonstrated TIBER-EU experience.
Scope: What Gets Targeted
TLPT targets the critical or important functions of the financial entity — the services whose failure would materially impact the entity's core business or the broader financial system. The specific systems in scope are agreed between the entity's control team and the competent authority during the preparation phase.
Typical scope includes the production environments of core banking or trading platforms, customer-facing services at material volumes, the identity and access management infrastructure that protects those services, and the third-party integrations that support them. Out of scope typically are test environments, systems that do not support critical or important functions, and any activity that would impact customer funds or market integrity.
An important nuance is that the red team operates against the live production environment with real detection and response teams unaware of the test. This is a significant operational risk that must be managed carefully through the control team's out-of-band communication channel with the red team lead.
Frequency and Retesting
DORA requires TLPT at least every three years for in-scope firms, with the exact frequency set by the competent authority based on risk profile. Remediation from prior TLPT engagements must be documented and demonstrably implemented before the next cycle. The three-year cycle is meaningfully different from the annual pentesting cadence most firms have historically run, and the multi-year gap creates its own planning pressure: findings from one TLPT have to remain relevant and trackable for three years.
Standard Article 24 pentesting continues annually or as otherwise specified in the entity's testing programme, independent of the TLPT cycle. Our penetration testing frequency guide covers how to build a sustainable year-over-year cadence that satisfies multiple frameworks at once.
Preparing for a First TLPT
Firms that have not run intelligence-led red teaming before usually benefit from a preparation cycle that precedes the formal TLPT by twelve to eighteen months. The preparation activities that make the biggest difference:
Control team formation. Identify and train the small control team that will manage the engagement. This group carries significant confidentiality obligations — the rest of the organization, including the blue team, cannot know the test is happening.
Inventory of critical functions. Document which business services qualify as critical or important under DORA, which ICT systems support them, and which third parties are in the dependency chain. This is also a standard DORA Article 6 obligation, but it becomes acutely relevant for TLPT scoping.
Defensive capability baseline. Conduct a detection and response maturity assessment against MITRE ATT&CK so that the team knows its baseline before the red team arrives. Firms that do not have mature SOC tooling, EDR coverage, and identity detection should invest in those capabilities before the TLPT, not during it.
Run a non-DORA red team first. Many firms run one or two standard red team engagements before their first TLPT to shake out operational issues in the out-of-band communication, scope definition, and legal-review processes. The cost of a preparatory red team is small compared to the cost of a failed TLPT.
Third-party coordination. If critical functions rely on cloud providers or other third parties, coordinate the TLPT scope with them in advance. DORA's third-party provisions require contracts that contemplate testing obligations, but not every older contract has been updated.
For firms that run their own cloud workloads as part of critical functions, our cloud penetration testing guide covers the additional considerations that apply when the red team's scope crosses into a hyperscaler's shared-responsibility boundary.
Cost and Timeline
A full DORA TLPT engagement including threat intelligence, red team execution, replay workshop, and formal reporting typically runs $250,000–$900,000+ depending on scope, sector, and jurisdiction. Engagements take six to twelve months end-to-end, of which the active red team execution phase is usually ten to sixteen weeks. Threat intelligence and scoping each occupy a substantial portion of the calendar time before the red team even starts.
Firms that also run TIBER-EU or CBEST engagements can often amortize cost across regimes if the methodology is aligned during scoping.
Documentation and Reporting
DORA places heavy documentation obligations on TLPT engagements. The required deliverables include the targeted threat intelligence report, the red team test plan, the red team operational narrative, the detection and response assessment, the remediation plan, and a summary report to the competent authority. Firms should build documentation templates with their providers in the preparation phase rather than at report time.
How DORA Sits Alongside Other Testing Obligations
Many in-scope financial entities are simultaneously subject to SOC 2, ISO 27001, PCI DSS, and local regulatory pentest obligations. A well-designed testing programme can produce a single set of artifacts that satisfy multiple frameworks at once. Our overview of penetration testing for compliance walks through how to align scope across frameworks so that DORA's TLPT and annual Article 24 testing share evidence with other regimes wherever possible.
Getting Started
If your firm is in scope for DORA TLPT and has not yet engaged a provider, the conservative timeline is to begin provider selection eighteen months before your first scheduled test. For firms only subject to Article 24 standard testing, the baseline annual penetration test cadence is the starting point and should be treated as a precondition for any future TLPT work.
Penetration Testing Vendor runs DORA-aligned penetration testing and intelligence-led red team engagements with testers holding CREST, OSCE, and OSCP credentials and experience across EU financial entities. If you're preparing for a DORA TLPT cycle or need annual Article 24 testing, request a quote and we'll come back with a scoped proposal within one business day.