doratesting

DORA TLPT explained: threat-led penetration testing

Updated 2026-07-06 2 min read

TLPT is the most demanding part of DORA’s testing regime — a realistic, intelligence-led attack simulation against live systems. It applies only to the most significant entities, but for them it is mandatory.

What TLPT is

Threat-led penetration testing (TLPT) is an advanced form of testing that simulates the tactics, techniques and procedures of real threat actors against an entity’s live production systems. Rather than checking a system in isolation, it tests whether the organisation can prevent, detect and respond to a realistic attack end to end.

Under DORA, TLPT is built on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), which many EU jurisdictions already use.

Who must do it

TLPT is not for everyone. It applies to significant entities — those identified by competent authorities based on their size, risk profile and systemic importance. In-scope entities must undergo TLPT at least every three years.

How a TLPT engagement works

  1. Scoping — identify the critical functions and live systems to be tested.
  2. Threat intelligence — build realistic threat scenarios based on actual adversaries targeting the sector.
  3. Red teaming — skilled testers attempt to achieve the scenario objectives against live systems, safely.
  4. Purple teaming & closure — compare against the defenders’ detection and response, then remediate and report.

Tester requirements

TLPT must be carried out by testers meeting strict criteria on competence, reputation and independence. This is deliberately a high bar — the testing touches live production systems and must be run safely and credibly.

FAQ

Related questions

Is TLPT required for all financial entities?

No. TLPT is required only of significant entities identified by competent authorities. Other entities must still run the baseline annual testing programme, but not full TLPT.

How often is TLPT required under DORA?

At least once every three years for in-scope significant entities, though authorities can adjust frequency based on risk.

What framework is DORA TLPT based on?

TIBER-EU — the European framework for threat intelligence-based ethical red teaming — which several EU central banks and authorities already operate.