If you’re an IT or security leader in financial services, DORA compliance is already on your radar. But keeping systems secure while managing compliance is a challenge. Cyber threats are evolving, regulations are getting stricter and staying ahead of it all takes serious effort.
So, what does DORA mean for you?
The Digital Operational Resilience Act (DORA) helps financial institutions stay operational, even when cyberattacks, IT failures, or other disruptions occur. It establishes clear expectations for resilience, ensuring that organisations prepare instead of just reacting when things go wrong.
A key requirement is Threat-Led Penetration Testing (TLPT). This goes beyond standard audits by simulating real-world attacks to find security weaknesses before they can be exploited.
If your organisation operates in the EU financial sector, understanding DORA and TLPT is critical. In this guide, we’ll cover what you need to know, how TLPT fits into the broader compliance picture, and the steps you should take now to stay ahead.
Who Does DORA TLPT Requirements Apply To?
DORA is showing to be a big shift in how financial organisations manage IT risk. It applies to a wide range of businesses that play a role in keeping the financial system running smoothly. If your organisation is part of the financial world, there’s a good chance DORA applies to you.
But who exactly needs to comply to the DORA Regulatory Technical Standards (RTS)?
Financial Institutions in Scope
DORA applies to major financial organisations across the EU, including:
- Banks and Credit Institutions
- Insurance and Reinsurance Firms
- Investment Firms and Trading Venues
- Payment Service Providers & E-Money Firms
Crypto Firms Are Now Included
Crypto businesses—exchanges, wallet providers, and blockchain platforms—must now follow strict Cyber Security standards under DORA. That means advanced security testing, stronger risk management, and TLPT compliance.
ICT Third-Party Providers
If you provide cloud computing, security monitoring, or IT services to financial organisations, DORA applies to you too. Providers must prove their own resilience to prevent supply chain cyber risks.
Important DORA Deadlines and Enforcement
DORA took effect from 17 January 2025, therefore:
- All financial entities must be compliant
- Regulators will begin assessing security measures
- Non-compliance could lead to penalties
Regulators overseeing DORA compliance include:
- European Banking Authority (EBA) – Banks & credit institutions
- European Securities and Markets Authority (ESMA) – Investment firms
Understanding DORA TLPT Definition
DORA sets a clear expectation: high-risk financial institutions must regularly test their resilience against real-world cyber threats. The Threat-Led Penetration Test (TLPT) is designed to do exactly that.
Threat-Led Penetration Testing is a realistic cyberattack simulation. Using real-world threat intelligence, these tests mimic the tactics of genuine attackers to see how well financial institutions can detect, respond to, and recover from an attack.
To keep testing consistent and effective, they follow the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) framework, ensuring a standardised approach across the financial sector.
What Are The Key Aspects of DORA TLPT You Should Know?
- Mandatory Every Three Years – High-risk financial entities must conduct TLPT at least once every three years.
- Live Production Testing – TLPT is conducted on live operational systems to reflect real-world conditions.
- Critical Functions Focus – It targets the most important services and infrastructure that financial organisations rely on.
- Third-Party Involvement – If a financial institution relies on ICT third-party providers, those providers must also be included in the test.
- Advanced Attack Simulation – Tests replicate sophisticated cyberattacks, including:
- Network intrusion attempts
- Privilege escalation scenarios
- Supply chain attacks
What Happens During a DORA RTS TLPT Exercise?
TLPT is a structured, high-stakes Cyber Security test designed to push financial institutions to their limits. It goes beyond standard penetration testing, simulating real-world cyberattacks on live production environments. The process follows a structured approach to ensure thorough assessment while maintaining operational integrity.
- 1. Preparation Phase
Before testing begins, financial entities must work closely with regulators to set the scope and logistics. This involves:
- Submitting key documents, including a project charter and details of the control team responsible for overseeing the test.
- Defining critical business functions and IT systems that must be included in the assessment.
- Determining whether third-party ICT providers should be involved.
- Setting up clear communication channels between all involved parties.
- Ensuring risk assessments and mitigation measures are in place before testing starts.
Financial institutions must also validate their choice of threat intelligence providers and ethical hackers to ensure compliance with DORA regulations.
- 2. Threat Intelligence Gathering
TLPT is powered by real-world cyber threat intelligence. During this phase:
- A threat intelligence team analyses sector-specific threats and vulnerabilities.
- Attack scenarios are designed based on actual Tactics, Techniques & Procedures (TTPs) used by cybercriminals.
- At least three different attack scenarios are selected, ensuring a mix of realistic and forward-looking threats.
- The chosen attack paths must target each critical function in scope for the TLPT.
This ensures the test reflects current, sophisticated attack methods, rather than generic vulnerability assessments.
- 3. Simulated Attack Execution
This is where TLPT sets itself apart. Ethical hackers, often referred to as Red Teams, attempt to breach the organisation using the same methods as real attackers. Their objectives include:
- Targeted phishing attacks to gain credentials and access.
- Network intrusion attempts to bypass security measures.
- Privilege escalation to move deeper into the system.
- Exploiting weaknesses in third-party ICT providers to test supply chain security.
Unlike standard penetration tests, these simulated attacks are conducted on live production systems, making them as close to real-world cyberattacks as possible. The test can last at least 12 weeks, depending on the organisation’s size and complexity.
- 4. Response & Detection Analysis
A key objective of TLPT is assessing how well an organisation detects and responds to cyber threats. This phase evaluates:
- Did the Security Operations Centre (SOC) detect the attacks?
- How quickly did incident response teams react?
- Were security controls effective in stopping the threats?
In cases where the test activities are accidentally detected, testers and regulators work together to adjust strategies, ensuring the secrecy and realism of the test remain intact.
- 5. Reporting, Remediation & Regulatory Review
Once the TLPT is completed, the findings must be compiled into a formal report and submitted to regulators. The report includes:
- Findings – A detailed account of the vulnerabilities exploited.
- Impact Assessment – How far attackers could have progressed if left undetected.
- Recommendations – Specific actions to fix security gaps.
The financial institution then has eight weeks to submit a remediation plan outlining how and when they will address the identified weaknesses. Regulators will review this plan to ensure compliance, and failure to act on the findings could lead to penalties or increased testing frequency.
Why does TLPT RTS Matter for DORA Compliance?
DORA mandates TLPT because it provides financial institutions with a realistic view of their cyber resilience. By simulating actual attacks, organisations can:
- Uncover hidden vulnerabilities before cybercriminals exploit them.
- Test their incident response capabilities under real-world conditions.
- Improve collaboration with third-party ICT providers to reduce supply chain risks.
- Meet regulatory requirements and strengthen trust with stakeholders.
Who Can Carry Out a Threat-Led Penetration Test?
Not just anyone can perform a Threat-Led Penetration Test (TLPT) under DORA. Given the complexity and high stakes involved—testing live production systems and simulating real cyberattacks—financial institutions must ensure their testers meet strict experience, accreditation, and independence criteria.
What Makes a TLPT Tester Qualified?
Not just anyone can perform a Threat-Led Penetration Test (TLPT) under DORA. Given the complexity and high stakes involved—testing live production systems and simulating real cyberattacks—financial institutions must ensure their testers meet strict experience, accreditation, and independence criteria.
To run a DORA-compliant TLPT, testers must tick several key boxes:
- Highly Skilled & Reputable
The right testers need to have a solid reputation in Cyber Security and a proven track record in:
- Intelligence-led red teaming – simulating real-world threats against an organisation.
- Threat intelligence expertise – understanding how hackers operate and adapt their tactics.
- Penetration testing skills – safely probing security defences without disrupting operations.
The right testers need to have a These tests go beyond the basics, so it’s vital to work with trusted professionals.
Certified & Accredited Experts
DORA mandates that testers must be certified by an official accreditation body in an EU member state or follow strict ethical and technical standards. Some of the most recognised frameworks include:
- CREST (Council of Registered Ethical Security Testers)
- CBEST (Bank of England’s Red Team Testing Framework)
- TIBER-EU (Threat Intelligence-Based Ethical Red Teaming)
These accreditations ensure that testers follow ethical guidelines and conduct high-quality, intelligence-driven testing.
Internal vs External Testers For Threat Lead Pen Testing: What’s Allowed?
DORA allows financial institutions to use internal testers, but there are strict conditions:
- Internal testers must have sufficient resources and no conflicts of interest.
- They must meet the same accreditation and expertise standards as external testers.
- If internal testers are used, an external tester must be engaged every three tests.
For some institutions (such as large, high-risk financial firms), only external testers are permitted.
Staying Ahead of Cyber Threats: Are You DORA-Ready?
DORA is reshaping Cyber Security in the financial sector. With Threat-Led Penetration Testing (TLPT) now mandatory for high-risk institutions, testing isn’t just about compliance—it’s about resilience.
By proactively simulating real-world attacks, organisations can identify weaknesses, strengthen defences, and ensure third-party providers meet security standards.
Need expert-led penetration testing to support your compliance? Our CREST-certified team is here to help.
Let’s talk security. Call us on 0121 663 0055 or email enquiries@equilibrium-security.co.uk.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
