Artifact GuideEU DORA

EU DORA TLPT Runbook

A source-linked runbook structure for financial entities that must perform DORA threat-led penetration testing.

Use it to organise authority touchpoints, critical-function scoping, tester and threat-intelligence controls, active red-team testing, closure reports, remediation evidence, and attestation records.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA TLPT is not a generic penetration-test checklist. Under Article 26, identified financial entities must run advanced threat-led penetration testing on live production systems supporting several or all critical or important functions, with scope validation, risk controls, reports, remediation plans, and authority attestation. This runbook turns those requirements into a practical operating record without adding unsupported test steps. Timings in this page are source-linked; verify current legal source language before implementation decisions.

Section 1

1. Start from the authority trigger and TLPT governance

Open the runbook when the TLPT authority notifies the financial entity that a TLPT is to be carried out, or when internal planning confirms that a required TLPT cycle is approaching. DORA sets a baseline TLPT cadence of at least every 3 years for identified financial entities, with competent authorities able to adjust the frequency based on risk profile and operational circumstances.

The runbook should name the control team lead, the control team, the TLPT authority contact path, the test manager or managers when known, the management-body approval points, and the code name used to restrict knowledge of the test. Keep the test on a need-to-know basis: the TLPT RTS requires information about planned or ongoing testing to be limited to the control team, management body, testers, threat intelligence provider, and TLPT authority.

  • Runbook opening record: authority notification date, assigned internal control team lead, TLPT authority contact, code name, intended communication channels, and internal confidentiality rules.
  • Governance record: management-body approvals needed for the project charter, scope specification, risk management measures, and remediation commitments.
  • Cadence record: previous TLPT completion or attestation, next planned TLPT window, and any authority instruction to reduce or increase the 3-year baseline cadence.
  • Escalation record: who can pause testing, who can approve changes to scope or timing, and how the control team will contain accidental detection by staff or service providers.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 26 establishes the TLPT cadence, live-production testing expectation, scope validation, risk controls, reporting, remediation, and attestation obligations.
Delegated Regulation (EU) 2025/1190 on DORA TLPT
Article 9 of the TLPT RTS sets initiation information, control-team setup, scope documentation, provider selection, and authority validation steps.
Section 2

2. Define and validate the TLPT scope

The scope section should list all critical or important functions considered for TLPT, not only the functions selected for testing. For each function, record whether it is included, why it is included or excluded, the supporting ICT systems, outsourced or contracted ICT services, relevant jurisdictions, and preliminary flags tied to confidentiality, integrity, authenticity, or availability.

DORA requires each TLPT to cover several or all critical or important functions and to be performed on live production systems supporting them. The precise scope is determined by the financial entity's assessment and validated by the competent authority or TLPT authority. Where ICT third-party providers support in-scope functions, the runbook should show how their participation is covered, including whether pooled TLPT is being considered where direct provider participation could affect other customers or confidentiality.

  • Function inventory: critical or important function, business owner, supporting ICT systems, geographic location, service dependencies, and whether a third-party or intra-group provider supports it.
  • Inclusion criteria: criticality to day-to-day operations, impact on the financial sector or financial stability, exchangeability, interconnectedness, geographical location, sector dependence, and available threat intelligence.
  • Exclusion rationale: document why any critical or important function is outside this TLPT scope and whether it remains covered by another resilience test or future TLPT.
  • Scope validation package: scope specification document, management-body approval, TLPT authority approval, provider briefing record after contracting, and any approved changes to target systems, flags, scope, or timing.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 26 requires TLPT to cover several or all critical or important functions and requires the resulting scope to be validated by competent authorities.
Delegated Regulation (EU) 2025/1190 on DORA TLPT
Annex II specifies the scope specification content for critical or important functions, supporting ICT systems, outsourcing, jurisdictions, and flags.
Section 3

3. Control threat intelligence providers, testers, and red-team execution

Use the provider-control section to prove that the threat intelligence provider and testers meet DORA and TLPT RTS requirements before contracting or assigning them. The TLPT RTS expects an external threat intelligence provider, and it sets detailed evidence expectations for skills, references, certifications, insurance, independence, conflicts of interest, secure restoration, and prohibited conduct.

The testing section should keep three records together: the targeted threat intelligence report, the scenario-selection record, and the red team test plan. The threat intelligence provider must produce concrete, actionable, contextualised target and threat intelligence. The control team lead selects at least three scenarios using the provider's recommendation, test-manager input, tester feasibility judgement, and the entity's size, complexity, and risk profile. No more than one selected scenario may be non-threat-led.

  • Provider evidence: CVs, certifications, professional indemnity insurance, required references, conflicts check, separation between threat intelligence and tester staff where relevant, and TLPT authority evidence package before contracting.
  • Threat intelligence report fields: scope, geography, relevant ICT third-party providers, research period, actionable target intelligence, threat profiles, and at least three end-to-end threat scenarios covering availability, data integrity, and information confidentiality themes.
  • Red team test plan fields: communication channels, allowed and prohibited tactics, ethical boundaries for social engineering, risk controls, target functions and systems, flags, expected attack paths, leg-up rules, schedule, and infrastructure constraints.
  • Active testing controls: at least weekly progress reporting to the control team and test managers, threat intelligence provider availability for consultation, approved leg-ups, approved changes to the red team test plan, and suspension criteria for exceptional impact risks.
Sources for this answer
Delegated Regulation (EU) 2025/1190 on DORA TLPT
Articles 7, 10, and 11 set provider evidence, threat intelligence report, scenario selection, red team test plan, weekly reporting, leg-up, and active testing requirements.
Regulation (EU) 2022/2554 (DORA)
Article 27 sets baseline tester suitability, capability, certification or ethical-framework, assurance, and insurance requirements for TLPT.
Section 4

4. Close with reports, remediation, attestation, and evidence retention

The closure section should not stop at the red team report. After active red-team testing ends, the control team informs the blue team, testers submit the red team test report, the blue team submits its report, and the parties replay offensive and defensive actions. The control team also runs purple teaming on jointly identified topics based on vulnerabilities found during testing and, where relevant, topics not fully tested during the active phase.

After the TLPT authority has assessed the blue team and red team reports, the financial entity submits the summary report of relevant findings for approval, then provides the remediation plans and documentation required under DORA. The remediation plan should track each finding to the shortcoming, remediation measure, priority and expected completion, root cause, responsible staff or function, and risks of not implementing the measure. Keep the attestation and notify the relevant competent authority of the attestation, summary findings, and remediation plans.

  • Closure evidence: red team test report, blue team test report, replay record, purple teaming topics, feedback record, summary report of relevant findings, remediation plan, documentation showing TLPT requirements were followed, and attestation.
  • Red team report evidence: functions and ICT systems targeted, scenario summaries, flags reached and not reached, successful and unsuccessful attack paths, tactics used, deviations, leg-ups, discovered vulnerabilities, root causes, and remediation recommendations.
  • Blue team report evidence: detected attack actions, corresponding log entries, evidence collected by the blue team, blue-team root cause analysis, lessons learned, improvement opportunities, and topics for purple teaming.
  • Remediation tracker: finding, shortcoming, root cause, proposed remediation measure, priority, expected completion, responsible staff or function, and risks associated with not implementing the measure.
Sources for this answer
Delegated Regulation (EU) 2025/1190 on DORA TLPT
Articles 12 to 14 and Annexes V to VIII define closure reports, replay and purple teaming, remediation-plan content, and attestation content.
Regulation (EU) 2022/2554 (DORA)
Article 26 requires relevant findings, remediation plans, supporting documentation, authority attestation, and competent-authority notification after TLPT.
ECB press release on TIBER-EU and DORA TLPT
The grounding data references this ECB source for the relationship between TIBER-EU and fulfilling DORA TLPT requirements.
Recommended next step

Use this runbook to organise a source-linked TLPT record

Use the cited sources listed here to verify obligations and the supporting evidence requirements.

Research workflow
Open Research Copilot for EU DORA

Verify the following areas from the cited sources: TLPT scope, testers, reports, remediation, and authority evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through DORA TLPT implementation

Review the authority touchpoints, provider evidence, testing records, and remediation fields needed for your DORA TLPT runbook.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2025/1190 on DORA TLPT
eur-lex.europa.eu
Referenced sections
  • Articles 12 to 14 and Annexes V to VIII define closure reports, replay and purple teaming, remediation-plan content, and attestation content.
"Content of the red team test report"
ECB press release on TIBER-EU and DORA TLPT
ecb.europa.eu
Referenced sections
  • The grounding data references this ECB source for the relationship between TIBER-EU and fulfilling DORA TLPT requirements.
"Adopting TIBER-EU will help fulfil DORA requirements"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Article 26 requires relevant findings, remediation plans, supporting documentation, authority attestation, and competent-authority notification after TLPT.
"summary of the relevant findings"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.