Which financial entities must conduct DORA TLPT?

DORA does not require all in-scope financial entities to conduct TLPT — only those identified by their competent authority (NCA) as significant. Identification is based on systemic character (size, interconnectedness), ICT risk profile, and criticality of services. Global systemically important institutions (G-SIIs) are automatically in scope. Major banks, CCPs, CSDs, large payment institutions, and large investment firms are the primary candidates. Entities that are uncertain should contact their NCA directly to confirm whether they have been — or are likely to be — identified.

How often must DORA TLPT be conducted?

DORA Article 26 requires identified financial entities to conduct TLPT at least every three years. The NCA may require more frequent testing where the entity's risk profile, threat landscape, or ICT incident history justifies it. The three-year cycle starts from the completion (closure report submission) of the first DORA-compliant TLPT. TIBER-EU tests conducted after 17 January 2025 under a framework aligned to the DORA RTS count toward this cycle.

Can financial institutions use their own internal team for DORA TLPT?

Yes, but with restrictions. DORA permits internal red teams for up to two out of every three TLPT cycles. The third test must use an external red team. Regardless of whether an internal or external red team is used, the Threat Intelligence (TI) component must always come from an external, independent TI provider — an institution cannot use both internal red team testers and internally produced threat intelligence in the same test cycle. Internal testers must meet the same competency standards as external providers.

DORA Threat-Led Penetration Testing (TLPT): Articles 26–27 Requirements, Scope Criteria, and the TIBER-EU Pathway

Threat-Led Penetration Testing (TLPT) is the most demanding operational resilience test that DORA requires. Under Articles 26 and 27 of DORA (Regulation (EU) 2022/2554), identified financial entities must conduct TLPT at least every three years — subjecting their live production systems, including critical ICT infrastructure provided by third parties, to simulated attacks based on actual threat intelligence about how adversaries target the financial sector.

TLPT is not an IT security audit and it is not a standard penetration test. It is a structured, intelligence-led red team exercise that tests whether an institution's detection and response capabilities work under realistic attack conditions. DORA makes it mandatory, not optional, for the institutions identified by their competent authority.

This guide covers which entities must conduct TLPT, how the test must be structured, the rules on internal versus external testers, what the RTS requires at each phase, and how DORA TLPT relates to the TIBER-EU framework that many EU institutions already know.

Who Must Conduct DORA TLPT?

DORA does not require every financial entity to perform TLPT. Article 26 creates a two-tier approach:

Mandatory Identification Criteria

Entities that are globally systemically important institutions (G-SIIs) under CRR/CRD IV are automatically subject to TLPT under DORA. Beyond G-SIIs, NCAs identify entities for TLPT based on a risk-based assessment considering:

Systemic character — size, market share, interconnectedness with other financial institutions
ICT risk profile — the entity's threat landscape, maturity of its ICT detection and response capabilities, and history of ICT incidents
Criticality of services — whether the entity provides payment, clearing, or settlement services critical to financial market infrastructure

Discretionary Inclusion

NCAs retain discretion to include or exclude entities based on a proportionality assessment. Smaller institutions with less complex ICT environments and limited systemic importance are unlikely to be identified. Credit institutions, investment firms, central counterparties (CCPs), central securities depositories (CSDs), payment institutions, and electronic money institutions above certain size thresholds are the primary candidates.

Practical implication: Entities that do not know whether they are in scope should assume they may be, if they are a major bank, insurance undertaking, large investment firm, CCP, or CSD. Contact your NCA to confirm.

Frequency

TLPT must be performed at least every three years. NCAs may require more frequent testing where the entity's risk profile, incidents, or threat landscape justifies it.

TLPT vs. Standard Penetration Testing

Understanding the distinction matters for planning and budgeting:

Aspect	Standard Penetration Test	DORA TLPT
Scope	Defined systems or applications	Live production systems; full ICT estate
Basis	Known vulnerabilities, OWASP methodology	Real threat intelligence on how adversaries target this institution/sector
Team	External vendor, standalone	Red team + blue team (purple teaming required)
Notification	Typically disclosed to IT team	Controlled knowledge — only a limited internal group knows
ICT third parties	Usually excluded	Critical ICT third-party providers must be included
NCA involvement	None	Competent authority is notified and may observe
Duration	Days to weeks	Several months (intelligence gathering, test, closure)
Output	Vulnerability report	Full closure report plus remediation validation

The intelligence component is what distinguishes TLPT. Tests must be based on Threat Intelligence (TI) produced by an external threat intelligence provider — a vendor that researches how specific threat actors (organised crime, state-sponsored groups) actually target EU financial institutions. That intelligence shapes the red team's attack scenarios, ensuring the test reflects realistic risks rather than generic technical vulnerabilities.

TIBER-EU and DORA TLPT: How They Relate

Many EU financial institutions — particularly those supervised by the ECB under the SSM and those in financial market infrastructure — are already familiar with the TIBER-EU framework. TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming for the EU) was developed by the ECB and NCBs before DORA and has been used since 2019.

DORA TLPT and TIBER-EU are aligned by design. The DORA RTS on TLPT (Commission Delegated Regulation under Article 26(11)) was developed to be compatible with the TIBER-EU framework. The practical effect:

An institution that has conducted a TIBER-EU test under the framework's requirements can use that test to fulfil the DORA TLPT obligation, provided the test covered the scope and met the requirements in the RTS
TIBER-EU tests conducted after 17 January 2025 (DORA application date) under an NCA that has adopted the TIBER-EU framework aligned to the DORA RTS will count toward the three-year cycle
The TIBER-EU White Team Guide, Threat Intelligence Guide, and Red Team Guide have been updated to align with DORA

Institutions in countries where the NCA has implemented TIBER-EU (as of March 2026: Netherlands — DNB, Germany — Bundesbank/BaFin, France — ACPR/Banque de France, Luxembourg — BCL/CSSF, ECB for SSM-supervised institutions) should engage with their NCA on the TIBER-EU/DORA pathway.

TLPT Phases: What the RTS Requires

The DORA RTS on TLPT defines five phases that every TLPT must go through:

Phase 1: Scoping

The TLPT scope must include all critical or important functions performed by the financial entity, as identified under the entity's DORA ICT risk management framework (Article 6 of DORA). This is not an optional selection — the entity must justify any exclusions and obtain NCA sign-off where functions are excluded from scope.

ICT third parties providing critical functions must be included in the TLPT scope unless their exclusion is explicitly approved by the NCA. This is one of the most complex aspects: if a major cloud provider (AWS, Azure, Google Cloud) supports a critical function, the financial entity must ensure that the TLPT includes testing of those services. This requires cooperation agreements with the ICT third party — the RTS provides for a "pooled" TLPT approach where multiple financial institutions can share a single test of a common provider.

The entity establishes a White Team — a small, senior group within the institution (typically 3–5 people from risk, compliance, and technology) who know the test is occurring and coordinate with the NCA. The rest of the institution, including the Blue Team (defenders), must not know a test is underway until the debriefing stage.

Phase 2: Threat Intelligence Production

An external Threat Intelligence (TI) provider — accredited under the TIBER-EU or NCA-approved framework — produces a bespoke threat intelligence report (Target Threat Intelligence, or TTI) for the institution. This report:

Identifies the threat actors most likely to target this institution (based on the institution's business model, systems, geographies, and known exposure)
Describes the tactics, techniques, and procedures (TTPs) those actors use
Defines attack scenarios that the red team should simulate

The TI provider must be independent — it cannot be affiliated with the red team provider or the financial institution being tested. This independence requirement is absolute.

Phase 3: Red Team Testing

The Red Team — external penetration testers — executes attack scenarios based on the TTI. Under DORA:

Internal red teams are permitted — financial entities may use internal testers for up to two of every three TLPT cycles. The third test must use an external red team
Even when using an internal red team, the Threat Intelligence must always come from an external, independent provider
Red team members must be trained and certified to an appropriate standard (the RTS specifies minimum competency requirements)
The red team may not share information with the Blue Team during the test (until the purple teaming phase)

Testing is conducted on live production systems. No test environment substitution is permitted — the regulation explicitly requires production testing to ensure that detection and response capabilities are evaluated under real conditions.

Phase 4: Purple Teaming (Mandatory)

Unlike traditional red team exercises where findings are simply reported to management, DORA mandates purple teaming — a collaborative phase where the Red Team and Blue Team work together. In the purple teaming phase:

The Red Team reveals the attacks it executed, including those the Blue Team did not detect
The Blue Team and Red Team work through each scenario together
Detection gaps are identified in real time
Response playbooks are evaluated against actual attack patterns

Purple teaming is one of the most valuable aspects of DORA TLPT for defenders: it converts findings from a point-in-time test into direct capability improvements for the Blue Team.

Phase 5: Closure and Remediation

The TLPT concludes with a Closure Report that must be submitted to the NCA. The report covers:

Summary of all attack scenarios executed
Findings: vulnerabilities exploited, detection gaps, response failures
Remediation plan with timelines and responsible owners
Results of the purple teaming phase
Assessment of overall resilience level

The NCA reviews the closure report and may require follow-up testing or additional remediation. The entity must track remediation and maintain evidence of completion.

Practical Requirements: Testers

External Red Team Accreditation

External red team providers must meet competency requirements set in the DORA RTS and any NCA-specific accreditation framework. Under TIBER-EU, providers are vetted against the TIBER-EU Red Team Provider Guidance. Key requirements:

Specific experience in financial sector threat simulation
Demonstrated competency in the TTPs included in the attack scenarios
No conflicts of interest with the financial institution being tested
Confidentiality and security clearances as required by the NCA

Internal Red Team Requirements

Where an institution uses an internal red team:

Internal testers must meet equivalent competency standards to external providers
They must be genuinely independent from the systems and functions being tested (no insider advantage beyond legitimate employee access)
The NCA may require evidence of internal tester qualifications
The external TI provider requirement remains — an institution cannot use both an internal red team and internal threat intelligence in the same TLPT cycle

Interaction with DORA's Broader Testing Framework

TLPT sits at the top of DORA's digital operational resilience testing hierarchy:

Testing Type	Frequency	DORA Article	Who Conducts
Vulnerability assessments	Ongoing (after major changes)	Article 25	Internal or external
Network penetration tests	At least annually	Article 25	Internal or external
TLPT	At least every 3 years	Articles 26–27	External TI; internal or external red team

All financial entities in DORA scope (Article 2(1)) must conduct the lower-tier testing (vulnerability assessments, network pen tests). TLPT is the additional obligation for identified significant entities. The results of lower-tier testing inform TLPT scoping — weaknesses identified in annual penetration tests should feed into the threat scenarios developed for TLPT.

TLPT Checklist for Financial Institutions

Determine whether you are in scope:

Confirm with your NCA whether your entity has been identified for TLPT
If not yet confirmed, review your systemic footprint (size, interconnectedness, critical service provision)
Identify whether your NCA uses the TIBER-EU framework and if so, which version (aligned to DORA or pre-DORA)

Prepare your governance:

Establish or confirm your White Team composition (senior, small, need-to-know basis)
Engage your Board and CRO/CISO on TLPT as a regulatory obligation, not an IT project
Confirm your three-year TLPT cycle start date (if completing first TLPT, this starts the clock)

Scope definition:

Map all critical or important functions as defined under your DORA ICT risk management framework
Identify which ICT third-party providers support critical functions and assess inclusion in TLPT scope
Engage ICT third parties on cooperation requirements; review contractual provisions (DORA Article 30 contracts must permit TLPT cooperation)

Procurement:

Select an NCA-accredited external Threat Intelligence provider
Decide internal vs. external red team for this cycle (track the 2-in-3 rule)
If using external red team, run a competitive procurement against accreditation requirements
Ensure TI and red team providers are structurally independent from each other and from the institution

Execution:

Notify NCA before beginning the TLPT (NCA may want to observe or assign a liaison)
Confirm live production scope — no test environment substitution
Schedule the purple teaming phase as an integrated part of the test, not an afterthought
Prepare the Closure Report template in advance

DORA TLPT requirements are technically complex and highly dependent on your NCA's specific implementation framework. For detailed questions about how TLPT interacts with your ICT risk management programme or ICT third-party contracts, query our regulatory knowledge base — our Argus system covers DORA, the TLPT RTS, and the TIBER-EU framework.