DORA TLPT - Threat-Led Penetration Testing Guide

What is TLPT?

Threat-led penetration testing (TLPT) is the most advanced testing tier the Digital Operational Resilience Act (DORA) prescribes for the European financial sector: a covert, threat-intelligence-based red teaming assessment against a financial entity's live production systems.

DORA (Regulation (EU) 2022/2554) has applied directly across the EU since 17 January 2025. While all regulated financial entities must run an ongoing digital operational resilience testing programme (Articles 24/25), Article 26 additionally requires selected entities to undergo TLPT - a real attack test supervised by the authorities.

The difference from a classic penetration test: TLPT does not check individual systems for vulnerabilities, but the entire defence chain - prevention, detection and response - against the behaviour of real threat actors.

Who is in scope?

Not every DORA-regulated entity has to perform TLPT. The competent authorities designate the financial entities whose failure would endanger the financial system. Criteria include systemic relevance, risk profile and the importance of the services provided. Typically in scope:

  • Banks and credit institutions with a significant market position
  • Insurers and reinsurers
  • Payment and e-money institutions with high transaction volumes
  • Financial market infrastructures (exchanges, central securities depositories, clearing)

Designated entities must perform a TLPT at least every three years; the authority can adjust the cadence on a risk basis.

What do Articles 26 and 27 require?

Article 26 (execution):

  • TLPT on live production systems supporting critical or important functions
  • Coverage of several or all critical functions of the entity
  • Inclusion of relevant ICT third-party providers in the test where they support critical functions
  • A threat-intelligence-led approach and supervisory oversight of the test
  • Final report, remediation plan and an attestation issued by the authority

Article 27 (requirements for testers):

  • Highest suitability and reputation, demonstrable technical and organisational capabilities
  • Specific expertise in threat intelligence, penetration testing and red teaming
  • Certifications or adherence to formal standards and methodologies
  • Professional indemnity insurance and sound risk management
  • The threat intelligence provider must be external; internal red teams are permitted only under narrow conditions - external specialists are the norm

TLPT and TIBER: how do they relate?

DORA defines the obligation, TIBER provides the methodology. The ECB-developed TIBER-EU framework was aligned with DORA in 2025 and is the established way to run a compliant TLPT:

  • TIBER-EU - the European framework standard for threat-intelligence-based ethical red teaming
  • TIBER-AT - the Austrian implementation led by the OeNB
  • TIBER-DE - the German implementation by Bundesbank and BaFin

A test conducted in line with TIBER satisfies DORA's TLPT requirements. The details of the process - phases, roles, documents - are covered in our TIBER-AT guide.

How a TLPT runs

  1. Preparation: scoping of critical functions, appointment of white team and control team, provider selection.
  2. Threat intelligence: an external TI provider produces an entity-specific threat profile and realistic attack scenarios (approx. 4-6 weeks).
  3. Red teaming: the red team executes the scenarios covertly against the production environment - initial access, lateral movement, objective completion (active phase: at least 12 weeks, as required by the TLPT RTS).
  4. Closure & replay: joint replay of the attack paths with the blue team, final report, remediation plan and supervisory attestation.

How slashsec supports DORA TLPT

slashsec is a specialised red team from Vienna focused on adversary simulations across the DACH region. In TLPT engagements we act as the red team provider: from scenario development based on the threat intelligence, through covert execution, to the replay workshop and remediation plan - TIBER-AT-aligned and in close coordination with the white team and the authority.

Frequently asked questions about DORA TLPT

What is DORA TLPT?
The most advanced testing tier of DORA: a threat-intelligence-based red teaming assessment against a financial entity's live production systems. DORA has applied EU-wide since 17 January 2025.

Who has to perform a TLPT?
Only financial entities designated by the authorities - typically larger banks, insurers, payment providers and financial market infrastructures. Designated entities test at least every three years.

What is the difference between TLPT and TIBER?
DORA Articles 26/27 define the legal obligation; TIBER is the operational framework for execution. A TIBER-compliant test satisfies the TLPT requirements.

Who may provide the red team?
Article 27 requires demonstrable suitability, experience, methodology and insurance. The threat intelligence provider must be external; the red team may in theory be internal, but specialised external red teams are the norm in practice.

How long does a TLPT take and what does it cost?
A full cycle spans six to nine months. Realistic budgets start at around EUR 150,000 and increase with scope and complexity.

TIBER-AT - the guide for Austria
Red teaming companies in DACH & Europe
Red teaming services by slashsec

Request red teaming, a pentest or physical security

slashsec is a specialised red team from Vienna - engagements across the DACH region, TIBER-AT/DORA-aligned assessments and the highest certification density in the team (OSCP, OSEP, OSWE, CRTO).

Book a free 30-min consultation

All services at a glance · Red teaming services · Contact