ISMSJan Kahmen5 min read

Testing Digital Operational Resilience under DORA

It is important for financial organizations to establish and regularly update TLPT to review their digital operational resilience.

Table of content

Which Measures Fall under the Term "Testing Digital Operational Resilience (TLPT )" within the DORA Context?

Under the DORA framework, financial organizations are required to establish and maintain a digital operational resilience testing program. This testing program is an integral part of the information and communication technology (ICT) risk management framework (Art. 6(5) DORA). Aims to test the effectiveness of the prevention, detection, response and recovery capabilities of ICT systems, processes and staff in order to detect and eliminate potential vulnerabilities. Includes a variety of tools and measures:

  • From simple vulnerability assessments and scans to comprehensive penetration testing, all funded organizations (under Article 25 of the Digital Operational Resilience Regulation) must perform basic testing.
  • Up to advanced testing such as TLPT - exclusively for financial companies that are mature enough at the IT level and are of relevant systemic importance (in accordance with Article 26 of the DORA).

What does the Abbreviation TLPT Mean in DORA?

TLPT stands for "Threat-Led Penetration Testing". This describes a framework that mimics the tactics, techniques and procedures of real attackers and enables a controlled, tailored and intelligence-led (red team) testing process to view a financial organization's critical live production systems as a real cyber threat.

What is the Added Value of Threat-Led Penetration Testing?

  1. identification of real vulnerabilities: Unlike traditional penetration testing, which often only targets known vulnerabilities, the threat-led approach is based on the analysis of threats and risks that are relevant to the specific organization. This identifies real vulnerabilities that could actually be exploited by attackers.

  2. consideration of context and business environment: Threat-Led Penetration Testing takes into account not only the technical aspects of an organization, but also the business environment, including infrastructure, applications, business processes and employee behavior. This allows threats and risks to be better understood and more targeted attack scenarios to be simulated.

  3. earlier detection of threats: By analyzing threats and risks, threat detection is also improved. Vulnerabilities and attack patterns can be identified and remedied before attackers can exploit them.

  4. improvement of the security strategy: The findings from the Threat-Led Penetration Test can be used to improve security strategies and take more targeted measures. As a result, vulnerabilities can be remedied more effectively and cost-efficiently.

Stakeholder Involvement in the Test Phase is an Important Part of the Test Methodology Itself

The TLPT Cyber Team acts as an assessor and confirms the correct execution of tests. It provides technical and procedural support and serves as a point of contact for the Control Team. It also maintains contact with external bodies.

The Manager of the Control Team acts as the central point of contact and decision-maker. On the one hand, his activities include the constant monitoring and control of important processes to ensure compliance with standards and guidelines. They are also responsible for risk management and take targeted measures to avoid potential risks.

The Blue Team, also known as the defense team, is active in cyber defense and is responsible for the security of the company. It consists of all employees outside the Control Team and is not informed about the execution of tests.

The Tester performs attack scenarios on the organization by using the information gathered by the TI provider and identifying vulnerabilities. He then documents the attack vectors.

Threat intelligence providers collect individual threat information from companies and create attack scenarios.


In summary, it can be said that the new TLPT brings some changes compared to TIBER-DE. Firstly, there is now a binding obligation for identified financial companies to implement the TLPT as a supervisory measure. This ensures a higher priority and better integration of the TLPT into the business processes of these companies.

Particularly noteworthy is the EU-wide recognition of test results, which makes it possible to implement standardized procedures more quickly and thus strengthen the resilience of the entire European financial sector. In addition, financial companies now have the option of using internal pentesters under certain conditions, which increases flexibility.

Overall, the TLPT introduces another important measure to improve IT security in the financial sector, which achieves greater effectiveness and Europe-wide harmonization through the points mentioned above.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: