DORA TLPT explained: threat-led penetration testing
TLPT is the most demanding part of DORA’s testing regime — a realistic, intelligence-led attack simulation against live systems. It applies only to the most significant entities, but for them it is mandatory.
What TLPT is
Threat-led penetration testing (TLPT) is an advanced form of testing that simulates the tactics, techniques and procedures of real threat actors against an entity’s live production systems. Rather than checking a system in isolation, it tests whether the organisation can prevent, detect and respond to a realistic attack end to end.
Under DORA, TLPT is built on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), which many EU jurisdictions already use.
Who must do it
TLPT is not for everyone. It applies to significant entities — those identified by competent authorities based on their size, risk profile and systemic importance. In-scope entities must undergo TLPT at least every three years.
How a TLPT engagement works
- Scoping — identify the critical functions and live systems to be tested.
- Threat intelligence — build realistic threat scenarios based on actual adversaries targeting the sector.
- Red teaming — skilled testers attempt to achieve the scenario objectives against live systems, safely.
- Purple teaming & closure — compare against the defenders’ detection and response, then remediate and report.
Tester requirements
TLPT must be carried out by testers meeting strict criteria on competence, reputation and independence. This is deliberately a high bar — the testing touches live production systems and must be run safely and credibly.
FAQ
Related questions
Is TLPT required for all financial entities?
No. TLPT is required only of significant entities identified by competent authorities. Other entities must still run the baseline annual testing programme, but not full TLPT.
How often is TLPT required under DORA?
At least once every three years for in-scope significant entities, though authorities can adjust frequency based on risk.
What framework is DORA TLPT based on?
TIBER-EU — the European framework for threat intelligence-based ethical red teaming — which several EU central banks and authorities already operate.
Keep reading
More guides
-
DORA testing requirements: what financial entities must test
DORA makes resilience testing a legal duty. Here’s the programme it requires, the test types, the cadence, and who must do the testing.
Read guide -
DORA testing checklist: how to prepare and stay compliant
A practical checklist to build and evidence a DORA-compliant resilience-testing programme — from scoping critical functions to remediation.
Read guide