Threat-led penetration testing is now a legal obligation for a designated subset of EU financial entities, not a best-practice suggestion. Under Article 26 of the Digital Operational Resilience Act, entities identified by their competent authority must "carry out at least every 3 years advanced testing by means of TLPT," performed on live production systems that support critical or important functions. DORA itself has applied across the EU since 17 January 2025, it reaches roughly 20 categories of financial entity, and the European Commission frames it as harmonising operational-resilience rules across the sector. The specialised standard that governs how these tests run, Commission Delegated Regulation (EU) 2025/1190, became applicable on 8 July 2025. In short: the rules are live, the clock is running, and a designated firm cannot substitute a normal pentest to satisfy them.
This playbook answers the core question directly. TLPT under DORA is an intelligence-led red team exercise, modelled on the European Central Bank's TIBER-EU framework, in which accredited threat-intelligence and red-team providers emulate real adversaries against your production estate while most of your own defenders stay unaware. It is mandatory only for entities their supervisor designates, it repeats at least every three years, and it demands testers who clear a high qualification bar set out in DORA Article 27. This guide is written for compliance, risk, and security leaders at EU and UK financial entities who expect a TLPT designation and need to understand the lifecycle, the cadence, the tester rules, and how to get test-ready in 2026 before procurement scarcity bites.
This is the Stingrai research team's canonical 2026 reference on DORA TLPT. It draws only on primary regulatory sources: the DORA Regulation and its Articles 26 and 27, the TLPT Regulatory Technical Standards in Commission Delegated Regulation (EU) 2025/1190, the ECB's TIBER-EU framework, and guidance from the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA). Where a figure could not be traced to a named primary source, it was dropped rather than estimated. Every claim below links to its source so any statement can be audited inline. Regulatory content is current to July 2026.
TL;DR: what a designated firm needs to know
TLPT is mandatory for designated entities (Article 26): identified financial entities must "carry out at least every 3 years advanced testing by means of TLPT" on live production systems (DORA Article 26).
You are designated, not self-selected: competent authorities identify which entities must perform TLPT using impact, financial-stability, and ICT-risk criteria (DORA Article 26(8)).
The specialised standard is live: the TLPT Regulatory Technical Standards, Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025, were published in the Official Journal on 18 June 2025 and applicable from 8 July 2025 (EUR-Lex).
It follows TIBER-EU: DORA TLPT is built on the ECB's threat intelligence-based ethical red-teaming framework, first published in May 2018 and updated to align with DORA (ECB TIBER-EU).
Scope is production, not staging: each test must cover several or all critical or important functions and run on live production systems (DORA Article 26(2)).
The outcome is not pass or fail: TIBER-EU tests reveal strengths and weaknesses in cyber-resilience measures rather than issuing a grade (ECB TIBER-EU).
Testers face a high bar (Article 27): external testers need proven threat-intelligence and red-team expertise, certification by an accreditation body or adherence to a formal code of conduct, independent assurance, and professional indemnity insurance (DORA Article 27).
External testers are periodically required: entities using internal testers must contract external testers at least every third test, and significant credit institutions must use external testers only (DORA Article 26(8) and 27).
The threat-intelligence provider must be independent: where internal red-team testers are used, the threat-intelligence provider must be external to the financial entity (DORA Article 27).
A single test is a multi-month program: the TIBER-EU-aligned lifecycle runs roughly three to six months across preparation, threat intelligence, active red teaming (about 10 to 12 weeks), and closure (ECB TIBER-EU).
Key takeaways
TLPT is not a bigger penetration test, it is a different exercise. A standard pentest is scope-defined and checklist-driven, often against staging. DORA TLPT emulates a specific, intelligence-led adversary against live production functions while your defenders stay unaware, and it is coordinated with your supervisor under the TIBER-EU model. Treating it as an upsized pentest is the single most common planning mistake.
Designation, not risk appetite, sets the obligation. Your competent authority decides whether you must run TLPT, based on impact and ICT-risk criteria in Article 26(8) and the criteria in the TLPT RTS. Larger banks, systemic insurers, key market infrastructures, and major payment and crypto-asset players are the obvious candidates, but the trigger is a supervisory decision, so confirm your status early.
The qualified-provider pool is small, and demand is concentrated. Article 27 sets a demanding bar for testers, and the recognised accreditation routes in the UK financial sector, CREST's STAR-FS and the Bank of England's CBEST, admit only a limited number of firms. When many designated entities hit their first cycle in the same window, capacity gets tight. Procuring early is a competitive advantage, not just good hygiene.
Every three years is a floor, and readiness decays fast. The three-year cadence is a minimum; supervisors can require more frequent testing based on risk. More importantly, a point-in-time test measures one moment, and estates drift within weeks. The firms that pass cleanly are the ones already running continuous adversary emulation between formal cycles.
What is threat-led penetration testing (TLPT) under DORA?
Threat-led penetration testing is a controlled, intelligence-led simulation of a real cyberattack against a financial entity's most important live systems. Rather than working from a generic checklist, the test is driven by bespoke threat intelligence about who would realistically attack the entity and how, then executed by a red team that emulates those specific tactics, techniques, and procedures. DORA anchors the requirement in Article 26 and requires that each test "cover several or all critical or important functions of a financial entity" and be "performed on live production systems supporting such functions."
The method comes from the ECB's TIBER-EU framework, which stands for Threat Intelligence-based Ethical Red Teaming. First published in May 2018 and developed jointly by the ECB and the EU national central banks, TIBER-EU was updated to serve as the operational reference for DORA-mandated TLPT. Its defining features carry straight into DORA: tests "mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence," they target "critical functions of an entity and its underlying systems, i.e. its people, processes and technologies," and crucially, "the outcome is not a pass or fail. Instead the test is intended to reveal the strengths and weaknesses of the cyber resilience measures." More than 20 European countries have adopted TIBER-EU national implementations.

TLPT versus a standard penetration test
The distinction matters because a normal pentest, however thorough, does not satisfy the TLPT obligation. The differences are structural.
Dimension | Standard penetration test | DORA TLPT |
|---|---|---|
Driver | Predefined scope and checklist | Bespoke threat intelligence on real adversaries |
Environment | Often staging or test systems | Live production systems supporting critical functions |
Goal | Find and report vulnerabilities | Emulate a specific adversary and reach agreed objectives |
Defender awareness | Blue team usually informed | Blue team unaware; only a small control team knows |
Oversight | Internal or contractual | Coordinated with the competent authority |
Outcome | Findings report | Strengths and weaknesses assessment, no pass or fail |
Cadence | Ad hoc or annual | At least every three years, on designation |
Sources: DORA Article 26; ECB TIBER-EU. The takeaway for planning is simple: TLPT tests your detection and response under realistic conditions, not just your patch hygiene. Our explainer on penetration testing versus vulnerability assessment covers why compliance frameworks increasingly demand the adversary-emulation end of that spectrum.
Who must do TLPT, and who decides?
The most important point for any risk leader is that TLPT is not self-selected. Under Article 26(8), "competent authorities shall identify financial entities that are required to perform TLPT" using criteria based on impact, financial-stability considerations, and ICT-risk profile. The detailed identification criteria live in Commission Delegated Regulation (EU) 2025/1190, the RTS that "specifies the criteria used for identifying financial entities required to perform threat-led penetration testing."
DORA applies broadly, to roughly 20 categories of financial entity per the European Commission, but only a subset of those will be designated for TLPT. Entities most likely to be in scope include:
Significant credit institutions and systemically important banks
Large insurance and reinsurance undertakings
Central counterparties, central securities depositories, and trading venues
Major payment institutions and electronic money institutions
Significant crypto-asset service providers and large investment firms
Two Article 26 nuances often catch firms off guard. First, the obligation reaches your supply chain: entities must "ensure the participation of" the ICT third-party service providers that support the critical functions in scope, while retaining full responsibility for compliance. Second, DORA permits pooled testing, where several entities can run a joint TLPT where a shared third-party provider's participation might otherwise disrupt services to customers outside the regulated perimeter. If your critical functions sit substantially with a cloud or SaaS provider, factor that provider's cooperation and lead time into your plan now.
The DORA TLPT lifecycle: notification to closure
A DORA TLPT is a multi-month program, not an engagement you can stand up in a fortnight. The TIBER-EU-aligned lifecycle runs across four phases. Active red teaming alone typically takes 10 to 12 weeks, and the full engagement, once authority coordination and remediation are included, commonly spans six to twelve months.

Phase 1: Preparation and scoping (about 4 to 6 weeks)
The engagement formally begins after designation and notification by the competent authority. In this phase the entity stands up its control team (the small internal group that manages the test with full knowledge) and white team, engages the authority's TLPT or TIBER cyber team, and defines the scope: which critical or important functions, and which underlying people, processes, and technologies, will be tested. Under Article 26(2), the entity must "identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions," including those outsourced to third parties. Provider procurement, if not already in place, happens here, and it is the single biggest schedule risk.
Phase 2: Threat intelligence (about 4 to 6 weeks)
An external threat-intelligence provider builds a targeted threat-intelligence report: who would realistically attack this entity, with what motivation, and using which tactics. This report feeds the national or sector generic threat landscape into entity-specific attack scenarios. Under Article 27, where internal red-team testers are used, "the threat intelligence provider is external to the financial entity," so the intelligence and the red team are kept independent.
Phase 3: Red team testing (about 10 to 12 weeks)
The red team executes the agreed scenarios against live production systems, attempting to reach defined objectives (often called flags) while the entity's blue team remains unaware. This active window is the core of the test and, in TIBER-EU practice, is the phase that most benefits from generous time: real adversaries are patient, and a compressed window produces an unrealistic exercise. Only the control team knows the test is underway, which is what makes the detection-and-response measurement meaningful.
Phase 4: Closure (about 2 to 4 weeks)
After testing, the red team and threat-intelligence provider deliver their reports, and the entity, its testers, and typically its blue team run a replay or purple-teaming session to walk through what happened, what was detected, and what was missed. The entity produces remediation plans, and under Article 26(7) the authority provides "an attestation confirming that the test was performed in accordance with the requirements," which supports mutual recognition of the test across jurisdictions. This is also where the real security value is captured: the findings are only worth the remediation and detection improvements they drive.
Tester and provider qualification under Article 27
The people who run a TLPT face a qualification bar far above a standard pentest engagement. DORA Article 27 requires that external testers:
Are "of the highest suitability and reputability."
Possess "technical and organisational capabilities" and "demonstrate specific expertise in threat intelligence, penetration testing and red team testing."
Are "certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks."
Provide "an independent assurance, or an audit report, in relation to the sound management of risks."
Carry "professional indemnity insurances, including against risks of misconduct and negligence."
There are additional guardrails for internal testers. Using internal red-teamers requires competent-authority approval, sufficient dedicated resources with conflicts of interest avoided, and, as noted, an external threat-intelligence provider. On top of that, entities using internal testers must contract external testers at least every third test, and significant credit institutions must use external testers only.
In practice, the recognised routes to demonstrating this expertise in the financial sector include CREST's STAR-FS scheme and the Bank of England's CBEST, both of which pair an accredited threat-intelligence discipline with an accredited red-team discipline. STAR-FS focuses on intelligence-led penetration testing for financial institutions and admits only a limited pool of accredited providers, so capacity is genuinely constrained. When evaluating a partner, firm-level accreditation is a meaningful quality signal. Stingrai is a CREST-accredited penetration testing service provider, which speaks to the firm's methodology and process rigour; a DORA TLPT engagement specifically also requires the relevant threat-intelligence and red-team accreditations and a paired threat-intelligence provider, so confirm the exact scheme fit for your jurisdiction before you contract.
How to get TLPT-ready in 2026: a readiness checklist
The firms that navigate their first cycle calmly do the groundwork long before the notification lands. Here is the concrete readiness sequence.

Confirm your likely designation status. Engage your competent authority early and map your profile against the identification criteria in the TLPT RTS. Assume designation if you are a significant bank, systemic insurer, key market infrastructure, or major payment or crypto-asset player.
Map your critical or important functions precisely. Article 26(2) requires you to identify all underlying ICT systems, processes, and technologies supporting those functions, including outsourced ones. This inventory is the backbone of scoping and is worth getting right well ahead of time.
Line up ICT third-party cooperation. If critical functions sit with cloud or SaaS providers, secure their contractual willingness to participate now. Provider coordination is a common source of delay.
Stand up your control and white teams. Decide who inside the firm will manage the test in confidence, and rehearse the confidentiality discipline that keeps the blue team genuinely unaware.
Procure accredited providers early. The Article 27 bar plus the small accredited-provider pool means capacity tightens in designation-heavy windows. Contract your threat-intelligence and red-team partners before the rush.
Run continuous adversary emulation between cycles. This is the difference-maker. A three-year cadence is a floor, not a security program. Standing red team and PTaaS coverage keeps detection-and-response capability sharp so the formal TLPT confirms readiness rather than exposing it.
Where Stingrai fits: staying perpetually TLPT-ready
The formal TLPT is a snapshot; your attack surface changes every sprint. What keeps a firm ready between mandated cycles is continuous offensive testing, and that is where Stingrai focuses. Stingrai's red teaming and adversary simulation practices emulate realistic threat actors against your environment on an ongoing basis, so detection and response gaps surface and get fixed continuously rather than once every three years. Stingrai's continuous PTaaS and application testing keep the critical functions in your likely TLPT scope under constant pressure, and this offensive testing supports your DORA operational-resilience program and the evidence you present to supervisors. Founded in 2021 and headquartered in Toronto with a London office, Stingrai is a CREST-accredited penetration testing service provider whose team holds certifications including OSCP, OSCE3, OSWE, CRTO, and CREST CRT. For engagement scoping and pricing, see the Stingrai pricing page.
Frequently Asked Questions
What is threat-led penetration testing (TLPT) under DORA, and who must do it?
TLPT is an intelligence-led red team exercise that emulates a real adversary against a financial entity's live production systems supporting critical or important functions. Under DORA Article 26, designated entities must carry it out "at least every 3 years." You do not opt in: your competent authority identifies which entities must perform TLPT using impact, financial-stability, and ICT-risk criteria set out in Article 26(8) and the TLPT RTS. The likely designated population includes significant banks, systemic insurers, key market infrastructures, and major payment and crypto-asset providers.
What is the difference between TLPT and TIBER-EU?
TIBER-EU is the ECB's threat intelligence-based ethical red-teaming framework, first published in May 2018, that describes how authorities, entities, threat-intelligence providers, and red teams run controlled adversary-emulation tests. TLPT is the legal obligation created by DORA. In practice, DORA-mandated TLPT is delivered using the TIBER-EU methodology, which was updated to align with DORA. Put simply: TIBER-EU is the how, and DORA TLPT is the must.
How often is TLPT required under DORA?
At least every three years for designated entities, per Article 26(1): entities "shall carry out at least every 3 years advanced testing by means of TLPT." Competent authorities can require testing more or less frequently based on an entity's risk profile and operational circumstances, but three years is the baseline minimum.
How long does a DORA TLPT take from start to finish?
A single test runs roughly three to six months of active work across four phases: preparation and scoping (about 4 to 6 weeks), threat intelligence (about 4 to 6 weeks), red team testing (about 10 to 12 weeks), and closure (about 2 to 4 weeks), based on the TIBER-EU lifecycle. Once authority coordination, provider procurement, and remediation are added, most firms should plan for a six to twelve month program end to end.
Which systems are in scope for a TLPT?
The test must cover several or all of the entity's critical or important functions and, per Article 26(2), be "performed on live production systems." The entity must "identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions," including those outsourced to ICT third-party service providers, who must participate in the test.
Who is qualified to run a DORA TLPT?
External testers must meet the Article 27 bar: highest suitability and reputability, specific expertise in threat intelligence and red-team testing, certification by an accreditation body or adherence to a formal code of conduct, independent assurance, and professional indemnity insurance. In the financial sector, recognised routes include CREST STAR-FS and the Bank of England's CBEST. Where internal red-teamers are used, the threat-intelligence provider must be external, and significant credit institutions must use external testers only.
Can we use our internal red team, or an existing penetration testing vendor?
Sometimes, but with conditions. Internal testers require competent-authority approval, dedicated resources with conflicts of interest avoided, and an external threat-intelligence provider under Article 27. Entities using internal testers must also contract external testers at least every third test. A general penetration testing vendor does not automatically qualify: TLPT requires the specific threat-intelligence and red-team accreditations and the intelligence-led methodology described above.
Does a normal penetration test satisfy the DORA TLPT requirement?
No. A standard penetration test is scope-defined, often runs against staging, and typically informs the blue team in advance. A DORA TLPT is intelligence-led, runs on live production critical functions with the blue team unaware, and is coordinated with the competent authority. The two are complementary: continuous penetration testing keeps you ready, but only a TLPT delivered under the TIBER-EU methodology satisfies the obligation.
How should a firm prepare for its first TLPT in 2026?
Confirm your likely designation with your competent authority, map your critical or important functions and their underlying systems precisely, secure ICT third-party cooperation, stand up your control and white teams, and procure accredited threat-intelligence and red-team providers early before designation-year scarcity hits. Most importantly, run continuous adversary emulation between cycles so the formal test confirms readiness rather than revealing gaps. Stingrai's red teaming and PTaaS programs are designed to keep firms perpetually test-ready.
References
European Parliament and Council. Regulation (EU) 2022/2554 (Digital Operational Resilience Act), Article 26: Advanced testing of ICT tools, systems and processes based on TLPT. Applied from 17 January 2025. https://www.digital-operational-resilience-act.com/Article_26.html. Establishes the TLPT obligation, the at-least-every-three-years cadence, production-system scope, third-party participation, pooled testing, mutual-recognition attestation, and authority-led identification of designated entities.
European Parliament and Council. Regulation (EU) 2022/2554 (DORA), Article 27: Requirements for testers for the carrying out of TLPT. https://www.digital-operational-resilience-act.com/Article_27.html. Sets tester qualifications: suitability and reputability, threat-intelligence and red-team expertise, accreditation-body certification or code-of-conduct adherence, independent assurance, professional indemnity insurance, and the external threat-intelligence-provider condition.
European Commission. Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 (Regulatory Technical Standards on TLPT). Published in the Official Journal 18 June 2025; applicable 8 July 2025. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202501190. Specifies criteria for identifying entities required to perform TLPT, internal-tester requirements, and the scope, methodology, and phases of testing.
European Central Bank. TIBER-EU: European framework for Threat Intelligence-based Ethical Red-teaming. First published May 2018; updated to align with DORA. https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html. Defines the participant roles, the intelligence-led red-team methodology, the not-pass-or-fail outcome model, and the multi-phase lifecycle that DORA TLPT follows.
European Insurance and Occupational Pensions Authority (EIOPA). Digital Operational Resilience Act (DORA). https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en. Confirms the 17 January 2025 application date and the operational-resilience objectives for the financial sector.
European Banking Authority (EBA). Joint Regulatory Technical Standards specifying elements related to threat-led penetration tests. https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-regulatory-technical-standards-specifying-elements-related-threat-led-penetration-tests. The joint ESA RTS underpinning Delegated Regulation (EU) 2025/1190, applicable 8 July 2025.
CREST. STAR-FS: intelligence-led penetration testing for financial services. https://www.crest-approved.org/launch-of-star-fs-brings-greater-resilience-to-financial-services-sector/. Describes the STAR-FS accreditation scheme that pairs accredited threat-intelligence and red-team disciplines for financial-sector testing.



