Artifact GuideEU DORA

DORA TLPT eligibility workflow

Use this workflow to prepare a grounded TLPT eligibility file before or after a TLPT authority asks whether a financial entity must perform threat-led penetration testing.

The workflow separates authority identification, impact and systemic relevance, critical-or-important-function scope, control-team readiness, provider evidence, and group or cross-border coordination.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA TLPT eligibility is not a self-selected penetration-test program. Competent authorities or designated TLPT authorities identify financial entities for advanced threat-led penetration testing by looking at impact, systemic character, ICT risk profile, and ICT maturity. The practical file should show why the entity is or is not likely to be selected, which critical or important functions would be in scope, and whether governance and evidence are ready for authority validation.

Section 1

Start with the authority process, not an internal threshold

Under DORA Article 26, financial entities identified for TLPT carry out advanced threat-led penetration testing at least every three years, with the competent authority able to adjust frequency based on risk profile and operational circumstances. The selection decision is authority-led: Member States may designate a single public authority for TLPT matters, and delegated tasks do not remove the relevant competent authority role where tasks remain with it.

Build the eligibility file around the authority that can act on the entity. Record the entity's DORA financial-entity type, home Member State, competent authority, any designated TLPT authority, and whether any tasks have been delegated to another national authority. For significant credit institutions and cross-border entities, record the Union or national supervisory links instead of assuming a single local contact.

  • Authority record: competent authority under DORA, any designated TLPT authority, delegated TLPT tasks, and the named contact channel once notified.
  • Entity record: financial-entity category, licences or authorisations, Member States of operation, and group or branch structure relevant to TLPT coordination.
  • Frequency record: previous TLPT date or equivalent advanced test, current authority request, and any written authority change to the default three-year frequency.
  • Evidence limit: do not create a private numerical cut-off unless it comes from the TLPT RTS or from the authority's written instruction.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
DORA Article 26 establishes TLPT frequency, authority identification, designated TLPT authorities, attestations, pooled testing, and use of testers.
Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria
The TLPT RTS states that TLPT authorities identify entities and clarifies authority responsibilities for test managers, validation, cross-border, joint, and pooled TLPTs.
Section 2

Record selection criteria without inventing extra tests

The 2025 TLPT RTS gives the selection structure. TLPT authorities assess impact, systemic character, and ICT risk profile. Impact and systemic factors include size, services across one or more Member States, interconnectedness with other financial entities, criticality or importance of services for the financial sector, substitutability, business-model complexity, and group-level systemic character where ICT systems are shared.

The RTS then names categories that must perform TLPT unless the authority's overall assessment shows the TLPT is not justified. Those categories include G-SIIs, O-SIIs and entities in those groups, certain high-volume payment and e-money institutions, central securities depositories, central counterparties, qualifying electronic trading venues, and qualifying insurance or reinsurance undertakings. Use those criteria as evidence categories, not as a guarantee of selection or exclusion.

  • Impact evidence: market-share position where available, range of activities, Member States served, service criticality, substitutability, and concentration of important services.
  • Systemic evidence: G-SII or O-SII status, group membership, shared ICT systems, ICT intra-group service providers, and dependencies that could affect national or Union financial stability.
  • ICT risk evidence: threat landscape, dependence of critical or important functions on ICT, ICT architecture complexity, third-party or intra-group ICT service reliance, supervisory findings, business-continuity maturity, response and recovery maturity, and security monitoring capability.
  • Category evidence: map only the RTS-supported categories and quantitative criteria that apply to the entity; do not add unsupported revenue, employee-count, client-count, or incident-count thresholds.
Sources for this answer
Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria
Article 2 lists the impact, systemic, and ICT-risk factors TLPT authorities use and the financial-entity categories that normally require TLPT unless the authority assessment does not justify it.
Regulation (EU) 2022/2554 (DORA)
DORA Article 26 requires competent authorities to identify TLPT entities by impact-related factors, financial-stability concerns, and specific ICT risk profile or maturity.
Section 3

Prepare the scope and readiness file before notification

Once a TLPT authority notifies a financial entity that a TLPT is to be carried out, the 2025 RTS requires initiation information within three months and a management-body-approved scope specification document within six months. That scope document must list all critical or important functions identified by the financial entity and explain why each function is included or excluded.

Readiness evidence should therefore exist before notification. Keep a current inventory of critical or important functions, supporting ICT systems, outsourced or intra-group ICT services, jurisdictions where systems are used, and preliminary confidentiality, integrity, authenticity, and availability flags. Where a third-party or intra-group provider supports a critical or important function, record how participation, safeguards, pooled testing, or joint testing would be handled.

  • Initiation pack: project charter, high-level project plan, control team lead, tester approach, secure communication channels, and code name.
  • Scope pack: all critical or important functions, inclusion or exclusion rationale for each function, supporting ICT systems, outsourced-provider names, jurisdictions, and preliminary flags.
  • Risk pack: live-production testing risks, possible financial-sector or financial-stability impact, crisis escalation risk, data corruption risk, interruption risk, blue-team activity risk, and restoration risk.
  • Provider pack: evidence that threat intelligence providers and external testers meet RTS criteria, including experience, references, insurance, separation, conflict management, restoration procedures, and prohibited activities.
Sources for this answer
Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria
Articles 4, 5, 7, 9, and Annex II define control-team arrangements, TLPT risk management, provider selection evidence, initiation information, and scope specification content.
Regulation (EU) 2022/2554 (DORA)
DORA Article 26 requires TLPT to cover several or all critical or important functions and live production systems supporting those functions.
Section 4

Govern the test as an authority-validated resilience exercise

A DORA TLPT is not ordinary vulnerability scanning. The TLPT authority participates in all phases, validates key documentation, and can prevent contracting where selected providers do not meet DORA, RTS, or lawful national-security requirements. The financial entity remains responsible for the impact of the test even when providers and ICT third-party service providers participate.

For group, cross-border, joint, or pooled testing, identify the lead TLPT authority and the other TLPT authorities that may participate as observers or test managers. If the entity uses shared ICT systems, an ICT intra-group service provider, or a third-party provider used by multiple financial entities, record why an individual, joint, or pooled TLPT is appropriate and how the scope remains effective.

  • Governance evidence: management-body approval of scope, control team lead mandate, need-to-know restrictions, secrecy arrangements, authority validations, and escalation process.
  • Testing evidence: targeted threat intelligence report, selected scenarios, red team test plan, weekly progress reporting, leg-ups, change approvals, suspension or limited purple-team decisions, and active red-team testing duration.
  • Closure evidence: red team report, blue team report, replay and purple teaming outputs, test summary report, remediation plan, attestation, and notification to the relevant competent authority where different from the TLPT authority.
  • Cross-border evidence: host Member States with critical or important functions, other TLPT authorities involved, lead authority decision, shared ICT systems, intra-group service providers, and pooled-testing rationale.
Sources for this answer
Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria
The RTS sets authority validation points, test-manager involvement, closure reports, remediation-plan content, attestations, and cooperation rules for cross-border, joint, and pooled TLPTs.
ECB note on TIBER-EU and DORA TLPT
The ECB grounding explains that TIBER-EU can support DORA TLPT when formal TLPT requirements set by competent authorities are fulfilled.
Recommended next step

Prepare TLPT scope, authority, and evidence records

Sorena can help turn DORA TLPT selection criteria into a cited eligibility record, critical-function scope file, provider evidence pack, and remediation-ready governance workflow.

Research workflow
Open Research Copilot for DORA TLPT

Ask source-linked questions about TLPT selection, critical or important functions, provider criteria, test phases, remediation, and attestations.

Explore next step
Talk to Sorena
Review DORA TLPT readiness

Check whether your TLPT authority, entity category, scope evidence, control team, providers, and governance records are ready for authority validation.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria
eur-lex.europa.eu
Referenced sections
  • The RTS sets authority validation points, test-manager involvement, closure reports, remediation-plan content, attestations, and cooperation rules for cross-border, joint, and pooled TLPTs.
"participate to all the phases"
ECB note on TIBER-EU and DORA TLPT
ecb.europa.eu
Referenced sections
  • The ECB grounding explains that TIBER-EU can support DORA TLPT when formal TLPT requirements set by competent authorities are fulfilled.
"fulfil DORA requirements"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • DORA Article 26 requires TLPT to cover several or all critical or important functions and live production systems supporting those functions.
"live production systems"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.