DORA Chapter IV: testing, and the TLPT that is not a normal pen test¶
Chapter IV is where DORA asks you to attack yourself. Articles 24 to 27 build a testing programme, and at the top sits threat-led penetration testing, TLPT, which is a different animal from the annual pen test most firms already buy. Today, the testing programme and who has to do the hard version.
Article 24 and 25: the programme¶
Article 24 requires a digital operational resilience testing programme as an integral part of the ICT risk management framework. Article 25 lists what "testing" can mean, and the range is broad: "vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions", and more. Testing under DORA is not one activity, it is a portfolio, scaled to your risk profile.
The baseline expectation is that ICT systems supporting critical or important functions get tested at least yearly. That is the floor. TLPT is the ceiling, and only some entities have to reach it.
Article 26: TLPT, the advanced test¶
Article 26 is precise about who and how often. Financial entities, other than those in the Article 16(1) simplified regime and other than microenterprises, which are identified by the authorities, "shall carry out at least every 3 years advanced testing by means of TLPT". Threat-led penetration testing means a red-team exercise driven by real threat intelligence, against live production systems supporting critical functions.
Two things make TLPT different from a normal pen test. It is intelligence-led, so the scenarios come from actual threat actors relevant to you, not a generic checklist. And it hits production, not a staging clone, which is why it is tightly controlled. The criteria for which entities are in scope are set in RTS 2025/1190, and most member states run the exercises using the ECB's TIBER-EU framework.
The connection people miss¶
TLPT scope starts from your critical or important functions, which is your Article 8 identification work again. If your asset and function mapping is wrong, your TLPT scope is wrong, and you will have spent a large budget testing the wrong things. Every chapter of DORA keeps reaching back to identification, because it is the foundation the rest stands on.
The artefact: testing obligations at a glance¶
| Test type | Who | How often |
|---|---|---|
| Testing programme (Art. 24) | All entities | Ongoing, part of the framework |
| Systems for critical functions (Art. 25) | All entities | At least yearly |
| TLPT (Art. 26) | Identified entities, not simplified-regime or microenterprises | At least every 3 years |
| Scope basis | Critical or important functions | From Article 8 mapping |
| Framework used | TIBER-EU in most member states | Per RTS 2025/1190 criteria |
The TLPT criteria (RTS 2025/1190) and the TIBER-EU framework are both linked from the DORA resource library.
Next in this series: Chapter V, third-party risk, the register of information, and the contract clauses DORA now requires in writing.