DORA TLPT Requirements and Scope for Financial Entities

Frequently Asked Questions

01.What is DORA and when does it apply?

The Digital Operational Resilience Act (DORA, EU 2022/2554) became binding on January 17, 2025. It mandates digital resilience and cyber risk management across EU financial entities. DORA applies to banks, insurers, investment firms, crypto-asset service providers, payment institutions, and fund managers above certain asset thresholds. Non-compliance carries fines up to 2 percent of total annual worldwide turnover or 1 percent of average daily global turnover, enforced by national competent authorities.

02.Who must conduct TLPT by January 2028?

Entities identified as systemically significant or medium-sized - approximately 8,447 EU financial entities - must complete their first threat-led penetration test by January 17, 2028. Designation criteria include total assets exceeding 5 billion euros, payment volume, critical third-party dependencies, and cross-border operations. Smaller entities below these thresholds follow the simplified ICT risk management framework and are not required to conduct TLPT.

03.What is the difference between TLPT and traditional penetration testing?

Traditional penetration testing simulates generic attack vectors; TLPT is threat-led, meaning it incorporates real threat intelligence specific to your entity and sector. TLPT follows the TIBER-EU framework, which aligns tests to actual attacker tactics observed against your peer institutions. Tests run against live production systems without prior notice, and must involve both internal and third-party testing teams. Results inform a formal remediation roadmap that regulators review.

04.What does the TLPT RTS require of organizations?

The Joint Regulatory Technical Standards (RTS 2025/1620, effective August 7, 2025) specify scope criteria, testing methodology, internal and external tester requirements, and remediation timelines. Organizations must appoint an internal tester (dedicated team), engage an external TIBER-EU authorized provider, establish a red team and white team separation, document threat scenarios based on sector intelligence, and produce a formal test report with closure dates for all identified vulnerabilities. Annual reporting to regulators is mandatory for large institutions.

05.What is the financial and operational impact of TLPT readiness?

A full TLPT cycle costs 300,000 to 1.5 million euros and requires 6 to 12 months from provider procurement through attestation. Internal costs include executive time, infrastructure setup, incident response drills, and staff training. However, early planning reduces vendor scarcity premiums and ensures seamless integration with existing ICT risk management programs. Institutions that complete TLPT before 2027 typically secure provider capacity at 20 to 30 percent lower cost than those procuring in 2027 or later. Non-compliance after the deadline triggers daily financial penalties and increased supervisory scrutiny.