DORA · Artikel 26 · TLPT

DORA TLPT: the mandatory threat-led test for financial entities.

Since 17 January 2025, DORA Article 26 requires a Threat-Led Penetration Test at least every three years — on live critical functions. This page explains who is in scope, what the RTS demands and what a realistic delivery looks like.

Applicable since 17 Jan 2025·DORA TLPT 2024 completed·ENISA contributor 2021–2024
Article 26 in plain terms

An intelligence-led test every three years — against the production estate.

Article 26 of Regulation (EU) 2022/2554 obliges designated financial entities to run an advanced test in the form of a Threat-Led Penetration Test at least every three years. The test must run against live critical or important functions — staging does not count.

The technical detail sits in a dedicated RTS and follows the ECB's TIBER-EU methodology closely. For Germany, BaFin/Bundesbank designates the in-scope firms and oversees the tests through the national TIBER Cyber Team.

Scope

Who is in scope?

Credit institutions & investment firms

Significant banks and larger investment firms in the sense of CRR/CRD.

Payment & e-money institutions

Large payment service providers and e-money institutions with significant transaction volumes.

Financial market infrastructures

Central counterparties (CCPs), central securities depositories (CSDs), trading venues.

Insurers & reinsurers

Larger Solvency II undertakings with systemic ICT dependency.

Critical ICT third-party providers

CTPPs designated by the ESAs with systemic importance for the sector.

Out of scope

Small and micro undertakings and categories explicitly excluded under DORA Art. 16.

The binding step is designation by the competent supervisor. The criteria are in the TLPT RTS.

Deadlines

What is due when.

17 January 2025

DORA fully applicable. From here the clock is running for the first TLPT cycle.

2025–2027

First TLPT for designated firms — the supervisor expects a substantive, TIBER-compliant delivery.

Every 3 years

Recurring obligation. Also ad hoc after significant changes (mergers, new core systems).

RTS requirements on providers

What the TLPT RTS demands from an external team.

Demonstrable red-team experience

Track record of comparable operations — not just regular pentests.

Operator certifications

OSCP/OSCE/OSEP or equivalent for all active operators.

Role separation

The threat-intelligence and red-team roles must be mandated separately.

Sector track record

Demonstrable experience in the financial sector and with supervisory interfaces.

FAQ

Frequently asked questions about the DORA TLPT

What is a DORA TLPT?

TLPT stands for Threat-Led Penetration Test. Article 26 of Regulation (EU) 2022/2554 (DORA) requires in-scope financial entities to run an intelligence-led test against live critical or important functions at least every three years. The technical methodology is set out in the accompanying RTS and follows TIBER-EU.

Who is in scope for the TLPT obligation?

The competent authority (in Germany BaFin/Bundesbank) designates in-scope firms using the size, risk and systemic-importance criteria in the RTS. Rule of thumb: significant credit institutions, large payment service providers, CCPs, trading venues, large insurers and critical ICT third-party providers of systemic importance. Small and micro undertakings are explicitly out of scope.

Since when does the obligation apply?

DORA has applied since 17 January 2025. The first TLPT round for designated firms runs in the 24–36 months that follow. Firms that have been notified but not yet tested should start preparation now — a realistic timeline is 6–9 months from kick-off to closure.

Does the test have to run on production systems?

Yes. The TLPT RTS requires the test to run against the live critical or important functions in production. Testing purely against staging environments does not satisfy the requirement — that is the decisive difference to a regular penetration test.

Who is allowed to run a DORA TLPT?

The RTS requires qualified external providers with proven red-team experience, a track record in financial services, operator certifications (OSCP/OSCE/OSEP or equivalent) and a separation between the threat intelligence and red team roles. An internal team is only permitted under narrow additional conditions.

What happens if a firm skips the TLPT?

Supervisory measures up to formal orders and fines are on the table. DORA is one of BaFin/Bundesbank's priority topics for 2025/2026 — a missing TLPT will become a priority in the next supervisory dialogue at the latest.

Can Exploit Labs deliver the TLPT?

Yes. We closed a DORA TLPT for a regulated institution in 2024 and contributed to European TLPT frameworks with ENISA between 2021 and 2024. We deliver the red-team role and coordinate with a separately mandated threat-intelligence provider — exactly as the RTS requires.

Ready for the first TLPT cycle?

We work through scope, deadlines and roles with you — and set a realistic timeline through to attestation.