DORA Resilience Testing & TLPT

DORA Resilience Testing: Overview

Articles 24 through 27 of DORA (EU Regulation 2022/2554) establish a comprehensive digital operational resilience testing programme for financial entities. The logic is straightforward: you cannot know whether your ICT defences work unless you test them. DORA codifies this principle into a mandatory two-tier testing regime consisting of basic tests for all entities and advanced Threat-Led Penetration Testing (TLPT) for the most significant ones.

This testing regime is closely linked to the ICT risk management framework under Art. 5-16. The results of testing must feed back into the risk assessment and trigger remediation measures where weaknesses are identified. For details on the risk framework, see our ICT Risk Management guide.

General Testing Requirements (Art. 24)

Art. 24 requires all financial entities (except those qualifying for the simplified framework under Art. 16) to establish, maintain, and review a sound and comprehensive digital operational resilience testing programme. This programme must be:

• Risk-based: The scope, frequency, and depth of testing must reflect the entity's ICT risk profile, the criticality of its functions, and its overall threat landscape
• Comprehensive: Testing must cover all critical and important ICT systems and applications, not just a subset
• Proportionate: The testing programme must be proportionate to the size, business profile, and risk profile of the entity
• Documented: All tests, findings, and remediation actions must be recorded and reported to the management body

Testing must be carried out by independent parties, either internal staff who are not involved in the development or operation of the tested systems, or external providers. The entity must ensure that conflicts of interest are avoided.

Basic Testing (Art. 25)

Art. 25 specifies the range of tests that financial entities must include in their testing programme. These basic tests must be conducted on all critical and important ICT systems and applications at least annually:

• Vulnerability assessments and vulnerability scans
• Open-source analyses
• Network security assessments
• Gap analyses against standards and best practices
• Physical security reviews
• Questionnaires and scanning solutions applied to software
• Source code reviews where feasible and practicable
• Scenario-based tests (including switchover and failover)
• Compatibility testing
• Performance testing (load and stress tests)
• End-to-end testing
• Penetration testing

Not every entity must perform every type of test every year. The testing programme should be risk-based, with the most critical systems receiving the most rigorous testing. However, vulnerability assessments and penetration tests are generally expected at least annually for critical systems.

The entity applying the simplified framework (Art. 16) is exempt from the full testing programme but must still conduct basic security assessments proportionate to its risk profile.

Threat-Led Penetration Testing / TLPT (Art. 26-27)

TLPT represents the most demanding testing requirement under DORA. Modelled on the TIBER-EU framework, TLPT goes far beyond traditional penetration testing. It simulates realistic attack scenarios by advanced threat actors against the entity's most critical systems and functions.

Who Must Conduct TLPT?

TLPT is not required of all financial entities. Competent authorities identify entities that must perform TLPT based on:

• Systemic importance and overall risk profile
• Level of ICT maturity
• Nature, scale, and complexity of the entity's services, activities, and operations
• The specific ICT risk profile and the criticality of ICT systems and functions

In practice, the following entity types are most likely to be designated: globally systemically important banks (G-SIBs), other systemically important institutions (O-SIIs), significant institutions under SSM supervision, central counterparties, central securities depositories, trading venues, and large payment/settlement systems.

TLPT Requirements

Art. 26 specifies the detailed requirements for TLPT:

• Conducted at least every 3 years
• Must cover the entity's critical or important functions and live production systems
• The scope must be validated by the competent authority before testing begins
• Must use the latest threat intelligence to simulate realistic attack scenarios
• Must include social engineering, physical penetration, and technical exploitation techniques
• Results must be reported to the competent authority and validated by them

TLPT Provider Requirements (Art. 27)

Art. 27 imposes specific requirements on external TLPT testers:

• Must be of the highest suitability and reputability
• Must possess technical and organisational capabilities, with specific expertise in threat intelligence, penetration testing, and red teaming
• Must be certified by an accreditation body or adhere to recognised professional codes and standards
• Must carry professional indemnity insurance
• Must provide an independent assurance report confirming adherence to the entity's risk management framework

Internal testers may conduct TLPT under certain conditions but must be approved by the competent authority, and every third TLPT must use an external provider.

TIBER-EU and DORA

DORA recognises and builds upon the TIBER-EU framework developed by the ECB and national central banks. TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union) provides a structured methodology for conducting TLPT.

The TIBER-EU process consists of three phases:

• Preparation: Scope definition, engagement of threat intelligence and red team providers, validation by the authority
• Testing: Threat intelligence gathering, attack scenario development, red team execution against live production systems
• Closure: Purple team session (red team and blue team), remediation planning, reporting to the authority, attestation

Entities that have already conducted TIBER tests are well positioned for DORA TLPT compliance. The key difference is that DORA makes TLPT legally mandatory for designated entities, whereas TIBER-EU was previously voluntary (though strongly encouraged by supervisors).

Basic Testing vs. TLPT: Comparison

Practical Recommendations

• Build a multi-year testing roadmap: Combine annual basic tests with the 3-year TLPT cycle. Stagger different test types across quarters to avoid resource bottlenecks.
• Integrate testing into your risk framework: Test findings must flow back into the risk assessment and trigger remediation. Use your GRC tool to track findings, assign owners, and monitor closure.
• Start TLPT procurement early: Qualified TLPT providers are in high demand. Begin the procurement process 6-9 months before the planned engagement.
• Use testing results for board reporting: Art. 5 requires the management body to oversee ICT risk. Testing results provide concrete evidence of the entity's resilience posture.