Testing GuideEU

EU DORA Testing & TLPT Readiness

Build a repeatable testing program - and a TLPT capability that is production-safe and audit-ready.

Grounded in DORA Chapter IV and aligned to the ECB's TIBER-EU execution guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
8

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA testing is a program, not a penetration test. Chapter IV expects a risk-based resilience testing programme that covers critical or important functions, produces remediation backlog, and validates fixes. For certain entities, DORA requires advanced testing via threat-led penetration testing (TLPT) on live production systems at least every three years. This guide shows how to build the program and evidence model, and how to use the ECB's TIBER-EU framework as an execution handbook.

Section 1

Testing program vs TLPT (how DORA structures testing)

DORA distinguishes a general testing programme (Articles 24-25) from advanced TLPT (Article 26).

Build the programme first; TLPT then becomes a specialized, governed test type within it.

  • Testing programme: continuous, risk-based testing across ICT systems and processes supporting critical or important functions.
  • TLPT: advanced, intelligence-led test on live production systems, covering several or all critical or important functions, with authority-validated scope.
  • Evidence model: both require test reports, remediation tracking, and validation that weaknesses are addressed.
Recommended next step

Turn EU DORA Testing & TLPT Readiness into an operational assessment

Assessment Autopilot can take EU DORA Testing & TLPT Readiness from turning this guidance into a repeatable review process to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU DORA Testing & TLPT Readiness

Start from EU DORA Testing & TLPT Readiness and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Testing & TLPT Readiness.

Explore next step
Section 2

Article 24 - Digital operational resilience testing programme (operating model)

Your testing programme should define: what you test, how often, who tests (independence), how you remediate, and how you validate fixes.

Treat tests as inputs to engineering and risk governance, not as compliance PDFs.

  • Annual testing plan: scope coverage for critical or important functions; include scenario-based and technical tests.
  • Independence: for non-microenterprises, ensure tests are performed by independent parties (internal or external) and conflicts are avoided.
  • Remediation governance: prioritize, classify and remedy issues; validate closure with retesting and evidence (Article 24(5)).
  • Coverage: ensure at least yearly appropriate tests on all ICT systems and applications supporting critical or important functions (Article 24(6)).
Section 3

Article 25 - Testing methods catalogue (make it measurable)

Article 25 lists example test types: vulnerability assessments, open source analyses, network security assessments, gap analyses, physical security reviews, source code reviews, scenario-based tests, end-to-end tests, and penetration testing.

Build a "test catalog" with acceptance criteria and evidence outputs per test type.

  • Create a test catalog: test type -> objective -> target systems -> cadence -> evidence output -> owner.
  • Define "critical function coverage": minimum test coverage per critical or important function.
  • Automate where possible: scanning and continuous controls reduce manual effort and improve cadence.
  • Link to incident learnings: post-incident reviews should adjust testing scope and priorities.
Section 4

Article 26 - TLPT program readiness (design before you test)

TLPT is high-stakes because it runs on live production systems and mimics sophisticated attackers.

Design the governance and safety controls before you select a vendor or define scope.

  • Scope definition: identify underlying ICT systems, processes and technologies supporting critical/important functions; decide which functions must be covered; scope validated by competent authorities (Article 26).
  • Production safety: define guardrails, kill-switches, and comms rules; isolate unacceptable business risks.
  • Authority interactions: plan timeline for scope validation, approvals, and reporting expectations.
  • Evidence: TLPT scope documents, approvals, safety plan, test outputs, and remediation validation.
Section 5

RTS 2025/1190: identify whether you are likely to enter the TLPT population

The practical TLPT question is not only how to run a test. It is whether your entity is the kind of entity that competent authorities may identify for TLPT under the RTS.

Use that as an early-readiness filter so you do not wait for a supervisory signal before building governance, procurement criteria, and production-safety controls.

  • Track your systemic importance, cross-border footprint, and dependency on ICT supporting critical or important functions.
  • Treat TLPT readiness as a staged capability even if you are not yet formally identified: scope inventories, control-team model, authority interaction plan, and provider due diligence.
  • If you are likely to enter scope, align early with TIBER-EU so the execution method does not become the bottleneck.
Section 6

Article 27 - Tester requirements (vendor selection acceptance criteria)

DORA sets explicit expectations for TLPT testers: suitability, expertise, independence assurance, and insurance coverage.

Make these requirements procurement gate criteria.

  • Suitability and reputability; technical and organizational capabilities; specific expertise in threat intelligence, penetration testing and red teaming.
  • Certification or adherence to formal codes of conduct/ethical frameworks.
  • Independent assurance or audit report on sound management of TLPT risks and protection of confidential information.
  • Professional indemnity insurance covering misconduct and negligence.
  • Internal testers: require authority approval and conflict-of-interest protections; threat intelligence provider must be external.
Section 7

Using TIBER-EU as an execution handbook (practical TLPT implementation)

The ECB's TIBER-EU framework provides a structured, intelligence-led red teaming methodology and roles (blue team, threat intelligence provider, red team testers, control team, and oversight teams).

Use it to implement TLPT with a consistent, controlled process aligned to DORA expectations.

  • Define roles: blue team vs control team separation; threat intelligence and red team provider governance.
  • Follow phased execution: threat intelligence -> testing execution -> closure and improvements.
  • Procurement guidance: use published procurement guidance to select service providers and structure deliverables.
  • Evidence: keep deliverables by phase (TTI report, attack narratives, findings, remediation plans, retest evidence).
Section 8

Evidence pack checklist (audit-ready testing artifacts)

Testing evidence needs to show: coverage, independence, remediation, and learning.

Use this checklist to ensure outputs are exportable and consistent across entities.

  • Testing policy + annual testing plan + coverage map for critical/important functions.
  • Test catalog definitions and evidence outputs per test type.
  • Remediation and validation artifacts: tickets, retest reports, closure evidence.
  • TLPT program artifacts (where applicable): scope validation, tester due diligence, safety plan, TLPT reports, remediation and retest evidence.
  • Linkage to incident management: post-incident reviews driving test plan adjustments.
Primary sources

References and citations

ECB - TIBER-EU framework (January 2025)
ecb.europa.eu
Referenced sections
  • ECB execution guidance for threat intelligence-based ethical red teaming, commonly used as a structured TLPT implementation handbook in EU financial sector contexts.
Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.