Article 26: Advanced testing based on threat-led penetration testing (TLPT)
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 26 requires financial entities identified as significant to carry out threat-led penetration testing (TLPT) at least every three years, testing live production systems and covering critical or important functions, aligned to the TIBER-EU framework.
Chapter IV, Digital operational resilience testing · Pillar: Digital Resilience Testing
Key points
- Mandates TLPT for significant entities
- At least once every three years on live systems
- Aligned with the TIBER-EU framework
How this fits DORA
Article 26 sits within the Digital Resilience Testing pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 26 in the consolidated regulation on EUR-Lex.