Skip to main content
DORA Auditor

Penetration Testing for DORA (TLPT)

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

Penetration testing for DORA supports the digital operational resilience testing pillar (Articles 24–27). It ranges from vulnerability assessments through to threat-led penetration testing (TLPT), which significant entities must perform at least every three years.

The testing spectrum

DORA expects a proportionate, risk-based programme: scans, vulnerability assessments, scenario-based tests, and, for entities identified as significant, TLPT on live production systems following the TIBER-EU framework. Testing must cover the critical functions identified in the ICT risk-management framework.

Choosing testers

TLPT requires testers that meet DORA's competence and independence requirements. Several specialist security firms and generalists offer DORA-aligned testing, compare them in the directory.

Frequently asked questions

Is TLPT mandatory for every financial entity?
How often is TLPT required?
What framework does DORA TLPT follow?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)