Advanced testing of ICT tools, systems and processes based on TLPT

Article 26 introduces threat-led penetration testing (TLPT), the most sophisticated form of resilience testing required under DORA. Unlike standard vulnerability assessments that test for known weaknesses, TLPT simulates the tactics, techniques, and procedures (TTPs) of real threat actors to test whether an entity can detect and respond to a targeted, advanced attack.

TLPT is not required for all financial entities — it applies only to those identified by competent authorities based on systemic importance, criticality, and ICT risk profile. The identification criteria ensure that this resource-intensive form of testing is targeted at entities where the consequences of a successful attack would be most severe for the financial system.

The testing must be conducted against live production systems supporting critical or important functions, not isolated test environments. This requirement ensures that the test results reflect actual defensive capabilities rather than theoretical ones. However, careful scoping and risk management protocols must be in place to prevent the test itself from causing operational disruption.

TLPT must be based on current, entity-specific threat intelligence. Generic test scenarios are insufficient. The threat intelligence phase must identify the most relevant threat actors, their motivations, capabilities, and likely attack vectors specific to the target entity. This intelligence then drives the design of realistic attack scenarios that the testing team (red team) executes.

External testers must meet qualification requirements defined in the related RTS, ensuring appropriate expertise, certifications, and ethical standards. The RTS also draws on the TIBER-EU framework, which provides a well-established methodology for conducting TLPT in the financial sector.