Penetration Testing for DORA (TLPT)
Penetration testing for DORA supports the digital operational resilience testing pillar (Articles 24–27). It ranges from vulnerability assessments through to threat-led penetration testing (TLPT), which significant entities must perform at least every three years.
The testing spectrum
DORA expects a proportionate, risk-based programme: scans, vulnerability assessments, scenario-based tests, and, for entities identified as significant, TLPT on live production systems following the TIBER-EU framework. Testing must cover the critical functions identified in the ICT risk-management framework.
Choosing testers
TLPT requires testers that meet DORA's competence and independence requirements. Several specialist security firms and generalists offer DORA-aligned testing, compare them in the directory.
Frequently asked questions
Is TLPT mandatory for every financial entity?
No. TLPT is required only for entities identified as significant by their competent authority; others follow the broader risk-based testing programme.
How often is TLPT required?
At least once every three years for significant entities, subject to authority discretion.
What framework does DORA TLPT follow?
TLPT is based on the TIBER-EU framework and uses threat intelligence to test live production systems.