What is threat-led penetration testing (TLPT) under DORA?

**Threat-led penetration testing (TLPT)** is the most demanding tier of DORA resilience testing: a **threat-led attack test** against productive (live) systems that mimics real attacker tactics rather than merely ticking off known vulnerabilities. The legal basis is **Art. 26 of Regulation (EU) 2022/2554 (DORA)**. Unlike the general testing toolkit (Arts. 24–25), TLPT applies only to entities **identified by the supervisor** — designated under Art. 26(8) on the basis of risk and systemic-relevance criteria ^[1].

Identified entities must perform TLPT **at least every three years** (Art. 26(1)) — so the frequency sits in the Level 1 text itself, not only in the technical standards. The test covers several critical or important functions and is run against the genuinely live systems.

**Art. 27 DORA** governs the requirements for the **testers**: suitability, independence, threat-intelligence capability and — under conditions — the use of internal testers. The exact methodology, the identification criteria and the phases of the test sit in the regulatory technical standard (RTS) empowered by **Art. 26(11)**: **Delegated Regulation (EU) 2025/1190** (of 13 February 2025, in the Official Journal of 18 June 2025, in force around 8 July 2025) ^[1][2].

TLPT did not appear out of nowhere: the method is **based on the ECB's TIBER-EU framework** (threat intelligence-based ethical red teaming), which DORA expressly picks up in Recital 56. Anyone who has been through a TIBER-EU test knows the phase logic — DORA lifts it onto a binding, EU-wide harmonised legal footing.

For affected institutions this means TLPT is a multi-month, closely supervised project with threat intelligence, red-teaming and remediation. Seeing the ongoing ESA and national-supervisor clarifications early determines lead time and resource planning.