DORA Penetration Testing (TLPT): What Financial Entities Must Know in 2025

The Digital Operational Resilience Act (DORA) has been in full force across the EU since January 17, 2025. For financial entities — banks, insurers, investment firms, payment processors, FinTechs, and their critical ICT providers — DORA introduces one of the most prescriptive security testing mandates in European regulatory history: Threat-Led Penetration Testing (TLPT).

This article explains what TLPT is, who must conduct it, how it differs from a standard penetration test, and how Q-Sec can help your organization meet DORA's resilience testing requirements.

What Is TLPT Under DORA?

TLPT — Threat-Led Penetration Testing — is a form of advanced adversarial simulation that goes significantly beyond a standard penetration test. Where a conventional pentest checks for known vulnerabilities in a defined scope, TLPT uses real threat intelligence to simulate the tactics, techniques, and procedures (TTPs) of actual threat actors targeting your specific sector.

DORA's regulatory technical standards (RTS), aligned with the TIBER-EU framework, specify that TLPT must:

• Be based on current threat intelligence specific to the financial entity and its sector
• Involve red team testers simulating realistic adversary behavior over an extended engagement period
• Cover production systems — not just test environments
• Include a structured closure report reviewed by the entity's management body
• Result in documented remediation actions tracked to completion

In February 2025, the Eurosystem updated the TIBER-EU framework to formally align with DORA's RTS, providing authoritative guidance on how TLPT should be conducted for DORA compliance purposes.

Who Must Undergo TLPT?

DORA applies to a broad range of financial entities, but TLPT is specifically required for entities that national competent authorities (NCAs) designate as significant. The threshold for significance typically considers factors such as size, systemic importance, and cross-border interconnectedness.

However, even entities not formally designated for TLPT are subject to DORA's broader digital operational resilience testing program, which includes:

• Annual vulnerability assessments and network scanning
• Gap analyses based on ICT risk management framework reviews
• Annual penetration testing of critical applications and systems
• Scenario-based testing and business continuity exercises

If your organization is a financial institution or an ICT provider classified as critical under DORA, Q-Sec's compliance consulting team can help you determine your testing obligations and build a compliant testing program.

TLPT vs Standard Penetration Testing: Key Differences

DORA's Broader Testing Program: What Annual Tests Cover

For financial entities that are not designated for full TLPT, DORA still requires a comprehensive annual testing program. This is where most mid-sized financial organizations will focus their compliance efforts:

• Vulnerability assessments: automated scanning of ICT infrastructure for known weaknesses
• Open-source analyses: review of publicly available threat intelligence relevant to your technology stack
• Network security assessments: evaluation of firewall rules, segmentation, and perimeter controls
• Gap analyses: comparison of current controls against DORA's ICT risk management requirements
• Physical security reviews: for entities with on-premise infrastructure
• Application penetration testing: for critical business applications in scope

Q-Sec's penetration testing service covers the application and network layers of this annual program. Our Managed SIEM and SOC-as-a-Service cover continuous monitoring requirements year-round.

How DORA and NIS2 Interact for Financial Entities

Many financial entities are covered by both NIS2 and DORA. The regulatory answer is clear: where the two overlap, DORA takes precedence through a lex specialis principle. For a bank subject to both, DORA's ICT risk management, testing, and incident reporting requirements replace the equivalent NIS2 obligations — you follow DORA, not both in parallel.

However, organizations should not assume that DORA compliance automatically satisfies all NIS2 obligations. Governance and reporting structures may still require NIS2 alignment in areas DORA doesn't explicitly address. Our compliance consulting team can map your obligations across both frameworks.

Frequently Asked Questions

Does DORA require third-party testers for TLPT?

Yes. DORA's RTS on TLPT specifies that testers must be independent — either external providers or, in some cases, internal red teams that are structurally separated from the systems being tested. External testers are typically preferred because they bring sector-specific threat intelligence that internal teams rarely have access to.

What if our organization is not designated for TLPT?

You still have DORA testing obligations. Non-designated entities must run annual vulnerability assessments, penetration tests on critical applications, and scenario-based resilience tests. Q-Sec supports this annual program with scoped engagements and reporting aligned to DORA Article 26 requirements.

How does Q-Sec fit into a DORA compliance program?

Q-Sec operates as a managed security partner. We deliver the technical testing, provide DORA-aligned reports, and — through our SOC-as-a-Service — maintain the continuous monitoring that DORA's ICT risk management requirements demand. We work with organizations across the EU and are familiar with the reporting expectations of national competent authorities in the Netherlands, Poland, Germany, and elsewhere.