Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

Resilience testing under DORA: from basic tests to TLPT

Adopted 2026-06-28 ยท ≈ 1 min read ยท Dirk Baaijen

DORA requires financial entities to test their digital resilience periodically. Significant entities must also perform a threat-led penetration test (TLPT) at least every three years.

Short answer: DORA requires a testing programme for digital operational resilience, proportionate to your size and risk profile. All in-scope entities test periodically; significant entities additionally perform a threat-led penetration test (TLPT) at least every three years.

The basic testing programme

The programme includes vulnerability assessments and scans, open-source analyses, network security tests, gap analyses, scenario and penetration tests, and tests of business continuity and recovery. Critical ICT systems are tested at least annually. Tests are carried out by independent parties (internal or external) and findings are followed up.

TLPT for significant entities

Entities designated as significant by their supervisor must perform a threat-led penetration test on live production systems supporting critical functions. The TLPT requirements align with the TIBER-EU framework. The test takes place at least once every three years (the supervisor may adjust the frequency) and may involve third-party ICT providers delivering critical functions.

Plan it as a cycle

Treat testing not as a one-off but as a recurring cycle that feeds your ICT risk framework: findings lead to remediation, which you test again. Align the schedule with your incident and continuity processes.

Lees ook: DORA guide and Third-party ICT risk and oversight.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Chapter IV โ€” digital operational resilience testing and TLPT.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    ESAs โ€” RTS on threat-led penetration testing (TLPT), aligned with the TIBER-EU framework.

Share on LinkedIn

Read next

W

DORA readiness: a roadmap to prepare

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

W

AI and digital rules for the financial sector โ€” overview

One entry point for banks, insurers and fintech: which AI and digital rules affect your institution โ€” from DORA and the AI Act to credit scoring, AML and insurance โ€” each with a source-traceable file and the financial scan.

U

DORA register of information: what must it contain?

DORA requires financial entities to maintain a register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated level. Supervisors request it annually; it also feeds the designation of critical ICT providers.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.