DORA Art.26–27: Threat-Led Penetration Testing (TLPT) — Implementation Guide for Financial Services (2026)
Post #408 in the sota.io EU Cyber Compliance Series
DORA Chapter IV defines the digital operational resilience testing programme. Where Chapter II requires financial entities to build and maintain controls (identify, protect, detect, respond, recover), Chapter IV requires them to verify that those controls actually work — through a structured, escalating testing hierarchy.
Art.26 sets the baseline: all in-scope financial entities must run regular vulnerability assessments and ICT security testing. Art.27 adds the apex tier: significant entities must conduct Threat-Led Penetration Testing (TLPT) — live, intelligence-driven red-team attacks against their production systems, carried out by qualified external testers using the TIBER-EU methodology.
The TLPT Regulatory Technical Standard (Commission Delegated Regulation 2024/1505) entered into force in July 2025. NCAs across the EU are now issuing initial notification letters to entities required to conduct their first TLPT. This guide is timed to that regulatory moment.
1. The Two-Tier Testing Architecture
DORA Chapter IV separates testing into two distinct obligations:
| Tier | Article | Who | Frequency | Key Characteristic |
|---|---|---|---|---|
| Standard testing | Art.26 | All in-scope entities | Annual minimum | Vulnerability scans, gap analyses, network tests |
| Advanced testing (TLPT) | Art.27 | Significant entities (NCA-designated) | At least every 3 years | Live red-team attack, production scope, TIBER-EU |
The logic is proportionality: not every credit union or small payment institution needs a full red-team exercise. But systemically significant entities whose failure could trigger financial contagion require a higher assurance level that only live adversarial testing provides.
2. Who Is Subject to DORA Art.26 (Standard Testing)
All DORA Art.2(1) entities must conduct the testing programme under Art.26. This is approximately 22,000 EU financial entities:
| Entity Type | Art.26 Obligation | Notes |
|---|---|---|
| Credit institutions | ✅ Full | EBA prudential oversight; expect annual testing |
| Investment firms | ✅ Full | MiFID II scope |
| Payment institutions | ✅ Full | PSD2 entities |
| E-money institutions | ✅ Full | |
| Insurance / reinsurance | ✅ Full | Solvency II entities |
| CCPs / CSDs / trading venues | ✅ Full | Systemically significant — annual minimum not sufficient in practice |
| Crypto-asset service providers (CASPs) | ✅ Full (from Dec 30 2024) | |
| Management companies / AIFs | ✅ Full | |
| Microenterprises (<10 staff, <€2M) | ✅ Proportionality | Simplified testing programme permissible |
| ICT third-party providers | Art.26(8) engagement | Can be included in scope by contracting financial entity |
Proportionality (Art.4(2)): Microenterprises and small firms may run a lighter-weight testing cycle — e.g., annual external vulnerability assessment plus network configuration review — rather than the full testing programme that larger entities must operate.
3. Art.26: What Standard Testing Must Cover
3.1 The Mandatory Testing Types
Art.26(2) specifies the minimum testing methods that must be included in the testing programme:
"The testing programme referred to in paragraph 1 shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 25 and 26."
The Joint Guidelines on ICT risk assessment (JC 2024/16) enumerate the expected methods:
| Test Type | Description | Frequency (Guidance) |
|---|---|---|
| Vulnerability assessments | Automated scanning of ICT assets for known CVEs and misconfigurations | Quarterly for Tier-1, semi-annual for Tier-2 |
| Network security assessments | Penetration testing of network perimeter, segmentation, firewall rules | Annual minimum |
| Source code reviews | Static analysis (SAST) for critical applications | Upon major change or annual |
| Gap analyses | Control coverage gaps vs. DORA Chapter II obligations | Annual (at framework review) |
| Physical security reviews | Data centre and office access control verification | Annual |
| Scenario-based tests | Simulated attack path targeting specific threat scenarios | Annual, at minimum 1 scenario |
| ICT business continuity testing | Failover and recovery tests per Art.11 | Annual (Art.11 requirement, reflected here) |
3.2 Testing Programme Documentation
NCA examiners consistently require four artefacts:
- Testing programme document — scope, methods, frequency, responsible function, approval by management body
- Test results register — every test, date, scope, findings, severity classification
- Remediation tracking — all findings with owner, target remediation date, and closure evidence
- Management body sign-off — annual testing programme review documented in board minutes or equivalent
3.3 Third-Party ICT Providers in Scope
Art.26(8) authorises financial entities to include ICT third-party service providers (ICT TSPs) in their testing scope, subject to contractual agreement. Art.30(2)(e) of DORA requires audit rights in ICT contracts — these audit rights extend to security testing.
Practical implication: If a critical cloud provider or SaaS vendor hosts a critical function, the financial entity must either (a) include them in testing scope, (b) rely on the vendor's own third-party certification (SOC 2 Type II, ISO 27001), or (c) document why alternative assurance is sufficient. NCA examiners are increasingly challenging option (c) without supporting evidence.
4. Who Is Subject to DORA Art.27 (TLPT)
4.1 Designation Criteria
TLPT is not automatic. NCAs designate entities for TLPT based on criteria set out in Art.27(1):
"Financial entities, other than microenterprises, that are identified as significant pursuant to the criteria set out in paragraph 2, shall carry out advanced testing by means of TLPT."
Art.27(2) designation criteria include:
- Systemic significance — market share, interconnectedness, systemic importance designation
- Specific ICT risk profile — entities with complex ICT environments or elevated threat exposure
- NCA discretion — competent authorities may require TLPT beyond the systemic significance threshold
In practice, all G-SIIs (Global Systemically Important Institutions), D-SIIs (Domestic SIIs), large payment processors, central counterparties, and entities designated under the SSM will receive TLPT notification. Mid-sized banks and larger fintechs should plan for TLPT designation within the next 12–24 months as NCAs expand their lists.
4.2 The NCA Notification Process
- NCA issues formal designation letter to the financial entity
- Financial entity acknowledges and submits initial scoping document (within timeframe set by NCA)
- Red-team provider selected and notified to NCA
- Threat intelligence phase begins (6–8 weeks)
- Red-team phase (8–12 weeks)
- Purple-team closure (2–4 weeks)
- Final report submitted to NCA
- Remediation plan confirmed with NCA
5. TLPT Architecture: TIBER-EU Methodology
DORA Art.27 mandates use of the TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming) methodology, developed by the European Central Bank. The TLPT RTS (Commission Delegated Regulation 2024/1505) operationalises TIBER-EU as the binding DORA implementation standard.
5.1 Three-Phase Structure
Phase 1: PREPARATION (4–8 weeks)
├── Scope definition
│ ├── Identify Critical Functions (CFs)
│ ├── Map Critical ICT Systems supporting CFs
│ └── Define TLPT boundary (production scope required)
├── Team assembly
│ ├── Control Team (CT) — internal, manages the exercise
│ ├── Target Team (TT) — internal, receives test (may be unaware)
│ └── Red Team (RT) — external provider (qualified)
└── NCA notification filed
Phase 2: EXECUTION (8–12 weeks)
├── Threat Intelligence (TI) phase
│ ├── Threat landscape analysis for the entity's sector
│ ├── Threat actor profiling (TTPs targeting financial services)
│ └── TI report delivered to Red Team (not Target Team)
├── Red Team phase
│ ├── Live attacks on production systems
│ ├── Objective: compromise Critical Functions
│ ├── All techniques permitted (phishing, exploitation, insider simulation)
│ └── Ongoing daily check-ins with Control Team (safety protocol)
└── Purple Team closure
├── RT reveals attack paths to TT
├── Joint walkthrough: what worked, what was detected
└── Detection gap analysis documented
Phase 3: CLOSURE (4–6 weeks)
├── Final TLPT report (confidential — NCA only)
├── Remediation plan with milestones
└── NCA acceptance
5.2 What Makes TLPT Different from Standard Penetration Testing
| Dimension | Standard Pen Test | TLPT |
|---|---|---|
| Scope | Pre-agreed targets (staging/test permitted) | Production systems, live environment |
| Intelligence | Generic methodology | Custom threat intelligence specific to entity |
| Duration | Days to weeks | 16–24 weeks total |
| Detection testing | Not a goal | Purple team explicitly tests detection capabilities |
| Regulatory standing | Internal assurance | Accepted by NCA as formal compliance evidence |
| Mutual recognition | None | Cross-border recognition under Art.27(7) |
6. Red Team Provider Requirements
Art.27(4) sets out qualification requirements for external red team providers. DORA does not require a formal EU certification body (unlike some other frameworks), but the TLPT RTS specifies:
6.1 Provider Eligibility Criteria
| Requirement | Detail |
|---|---|
| Legal independence | Provider must not have a conflict of interest with the financial entity (e.g., primary IT vendor) |
| Technical qualifications | Demonstrable expertise in threat-led red-team exercises in financial services |
| Professional indemnity insurance | Minimum coverage levels specified by NCA |
| Threat intelligence capability | Either in-house TI team or sub-contracted to qualified TI provider |
| TIBER-EU certified | Participation in at least one prior TIBER-EU exercise (preferred) |
| Personnel vetting | Key personnel must pass background checks (equivalent to Baseline Personnel Security Standard) |
| NCA approval | Some NCAs (e.g., ECB, DNB) maintain approved provider lists — check with NCA before engagement |
6.2 Threat Intelligence Provider
The threat intelligence (TI) function can be internal or external but must be separate from the red team to maintain objectivity. The TI provider produces a targeted threat report that:
- Identifies threat actors known to target the entity's sector and geography
- Maps TTPs (Tactics, Techniques, Procedures) using MITRE ATT&CK for Financial Services
- Profiles the most likely attack vectors for the entity's specific risk profile
- Provides a target scenario package (3–5 priority attack scenarios)
7. Scope Definition: Critical Functions and ICT Systems
7.1 What Must Be in Scope
Art.27(3) requires that TLPT scope covers critical or important functions (CIFs) as defined in DORA Art.3(22):
"critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities."
Scope mapping process:
Step 1: CIF register (from DORA Art.8 ICT asset classification)
└── Pull all Tier-1 critical ICT systems supporting CIFs
Step 2: Production scope confirmation
└── Confirm all CIF-supporting systems are in live production scope
└── Staging/DR environments may be tested separately but do not substitute
Step 3: Boundary documentation
└── Written TLPT scope document signed by management body
└── Filed with NCA before red team engagement begins
Step 4: ICT TSP inclusion decision
└── Where CIF runs on third-party cloud: Art.27(3) permits inclusion of CTPP in scope
└── Requires contractual right under Art.30(2)(e) and NCA agreement
7.2 What Can Be Excluded
Art.27(3) allows the NCA to agree to limited scope exclusions where:
- Including a system would create unacceptable operational risk
- The system is shared with another entity that is separately under TLPT
- A documented alternative assurance mechanism exists
Exclusions must be justified in writing and agreed with the NCA before the red team engagement begins. Exclusions are not grounds for downscoping to avoid difficult findings.
8. Mutual Recognition Between Member States
Art.27(7) provides that a TLPT conducted for one NCA can be mutually recognised by another NCA, avoiding duplicate exercises for cross-border financial groups.
8.1 How Mutual Recognition Works
Scenario: EU banking group with entities in DE, NL, FR
1. Lead NCA (e.g., ECB via SSM) conducts primary TLPT
2. TLPT covers group-level critical functions
3. Host NCAs (BaFin, DNB, ACPR) formally accept the exercise result
4. Group entities in each jurisdiction are treated as having satisfied Art.27
5. Validity period: 3 years from acceptance date
8.2 Requirements for Mutual Recognition
- The original TLPT must have covered the functions relevant to the recognising NCA
- Scope documentation must be shared with recognising NCA
- Recognising NCA has right to request additional testing for entity-specific functions
- Single point of contact (SPOC) must be designated per jurisdiction
Practical implication for subsidiaries: A subsidiary of a larger group that has completed group TLPT may be able to avoid a standalone exercise if: (a) the group TLPT covered the subsidiary's critical functions, and (b) the subsidiary's NCA has formally accepted mutual recognition. Engage the NCA early to confirm this pathway.
9. Python TLPTChecker Implementation
from dataclasses import dataclass, field
from typing import Optional
from enum import Enum
from datetime import date, timedelta
import json
class TLPTTier(str, Enum):
STANDARD = "standard" # Art.26 only
ADVANCED = "advanced" # Art.26 + Art.27 TLPT
class FindingSeverity(str, Enum):
CRITICAL = "critical"
HIGH = "high"
MEDIUM = "medium"
LOW = "low"
@dataclass
class CriticalFunction:
name: str
is_production_scoped: bool
tsp_hosted: bool
tsp_tlpt_included: bool
ict_systems: list[str] = field(default_factory=list)
@dataclass
class RedTeamProvider:
name: str
independent_from_vendor: bool
financial_sector_experience: bool
tiber_certified: bool
has_ti_capability: bool
nca_approved: bool
personnel_vetted: bool
@dataclass
class TLPTExercise:
entity_name: str
nca: str
designation_date: Optional[date]
scope_agreed_date: Optional[date]
red_team_provider: Optional[RedTeamProvider]
critical_functions: list[CriticalFunction] = field(default_factory=list)
ti_phase_complete: bool = False
red_team_phase_complete: bool = False
purple_team_complete: bool = False
final_report_submitted: bool = False
remediation_plan_agreed: bool = False
last_tlpt_date: Optional[date] = None
mutual_recognition_available: bool = False
@dataclass
class TLPTCheckResult:
score: int
tier: TLPTTier
findings: list[tuple[FindingSeverity, str]]
next_tlpt_due: Optional[date]
recommendations: list[str]
def assess_tlpt_readiness(exercise: TLPTExercise) -> TLPTCheckResult:
findings = []
score = 100
recommendations = []
# --- Critical function scope ---
unscoped_cfs = [cf for cf in exercise.critical_functions if not cf.is_production_scoped]
if unscoped_cfs:
findings.append((FindingSeverity.CRITICAL,
f"CFs not in production scope: {[cf.name for cf in unscoped_cfs]}"))
score -= 25
tsp_cfs_not_included = [
cf for cf in exercise.critical_functions
if cf.tsp_hosted and not cf.tsp_tlpt_included
]
if tsp_cfs_not_included:
findings.append((FindingSeverity.HIGH,
f"TSP-hosted CFs missing from TLPT scope (Art.27(3)): "
f"{[cf.name for cf in tsp_cfs_not_included]}"))
score -= 15
recommendations.append("Review Art.30(2)(e) audit rights with TSP and agree scope inclusion or document exclusion justification")
# --- Red team provider ---
if exercise.red_team_provider:
rt = exercise.red_team_provider
if not rt.independent_from_vendor:
findings.append((FindingSeverity.CRITICAL,
"Red team provider has conflict of interest with financial entity"))
score -= 20
if not rt.financial_sector_experience:
findings.append((FindingSeverity.HIGH,
"Red team provider lacks documented financial services experience"))
score -= 10
if not rt.tiber_certified:
findings.append((FindingSeverity.MEDIUM,
"Red team provider not TIBER-EU certified — verify NCA acceptance"))
score -= 5
if not rt.has_ti_capability:
findings.append((FindingSeverity.HIGH,
"No threat intelligence capability: TI provider must be engaged separately"))
score -= 10
if not rt.nca_approved:
recommendations.append("Check NCA approved provider list before finalising RT engagement")
if not rt.personnel_vetted:
findings.append((FindingSeverity.HIGH,
"Red team personnel background checks not completed"))
score -= 10
else:
findings.append((FindingSeverity.CRITICAL,
"No red team provider selected"))
score -= 30
# --- Exercise progress checks ---
if not exercise.scope_agreed_date and exercise.designation_date:
days_since_designation = (date.today() - exercise.designation_date).days
if days_since_designation > 60:
findings.append((FindingSeverity.HIGH,
f"Scope not agreed {days_since_designation} days after NCA designation"))
score -= 10
if exercise.red_team_phase_complete and not exercise.purple_team_complete:
findings.append((FindingSeverity.MEDIUM,
"Red team complete but purple team not conducted — detection gaps unverified"))
score -= 5
if exercise.final_report_submitted and not exercise.remediation_plan_agreed:
findings.append((FindingSeverity.HIGH,
"Final report submitted but no remediation plan agreed with NCA"))
score -= 10
# --- Recurrence check ---
next_due = None
if exercise.last_tlpt_date:
next_due = exercise.last_tlpt_date.replace(year=exercise.last_tlpt_date.year + 3)
days_to_next = (next_due - date.today()).days
if days_to_next < 180:
findings.append((FindingSeverity.HIGH,
f"Next TLPT due in {days_to_next} days — preparation should be underway"))
score -= 10
tier = TLPTTier.ADVANCED if exercise.designation_date else TLPTTier.STANDARD
return TLPTCheckResult(
score=max(0, score),
tier=tier,
findings=findings,
next_tlpt_due=next_due,
recommendations=recommendations,
)
# Usage
if __name__ == "__main__":
exercise = TLPTExercise(
entity_name="ExampleBank AG",
nca="BaFin",
designation_date=date(2026, 1, 15),
scope_agreed_date=date(2026, 2, 28),
red_team_provider=RedTeamProvider(
name="SecureRT GmbH",
independent_from_vendor=True,
financial_sector_experience=True,
tiber_certified=True,
has_ti_capability=True,
nca_approved=True,
personnel_vetted=True,
),
critical_functions=[
CriticalFunction(
name="SEPA payment processing",
is_production_scoped=True,
tsp_hosted=False,
tsp_tlpt_included=False,
ict_systems=["payment-gateway", "core-banking"],
),
CriticalFunction(
name="Online banking portal",
is_production_scoped=True,
tsp_hosted=True,
tsp_tlpt_included=True,
ict_systems=["cloud-app-server", "auth-service"],
),
],
ti_phase_complete=True,
red_team_phase_complete=False,
last_tlpt_date=date(2023, 3, 1),
)
result = assess_tlpt_readiness(exercise)
print(json.dumps({
"score": result.score,
"tier": result.tier,
"findings": [(f[0].value, f[1]) for f in result.findings],
"next_tlpt_due": str(result.next_tlpt_due),
"recommendations": result.recommendations,
}, indent=2))
10. DORA Art.26–27 × NIS2 Art.21(2)(f) Dual Compliance
Entities subject to both DORA and NIS2 (common for payment processors, cloud infrastructure providers, and digital finance platforms) must map their testing obligations carefully:
| Dimension | DORA Art.26–27 | NIS2 Art.21(2)(f) | Overlap / Gap |
|---|---|---|---|
| Testing obligation | Mandatory testing programme; TLPT for significant entities | Policies on security testing as part of basic measures | DORA is lex specialis — satisfying DORA Art.26 satisfies NIS2 for financial entities |
| Scope | ICT assets, CIFs, critical ICT systems | Information systems in scope of NIS2 | DORA scope (ICT assets) is broader in financial services |
| Frequency | Annual minimum (Art.26); every 3 years (Art.27 TLPT) | Not specified (member state guidance varies) | DORA 3-year TLPT cycle is safe harbour for NIS2 advanced testing |
| Methodology | TIBER-EU for TLPT (Art.27) | No mandatory methodology | NIS2 NCA may accept TLPT report as evidence of Art.21(2)(f) compliance |
| Third-party scope | Art.26(8), Art.27(3) permit TSP inclusion | Art.21(2)(d) supply chain — separate obligation | Run together where TSP is in both DORA and NIS2 scope |
| Remediation | Remediation plan required, filed with NCA | Not explicitly required | DORA standard is higher — apply uniformly |
Recommendation for dual-regulated entities: Use the DORA testing programme as the primary compliance artefact. Annotate DORA test results with NIS2 Art.21(2)(f) mapping tags. Submit a single testing register to both NCAs where mutual recognition allows.
11. 25-Item NCA Audit Checklist
Art.26 Standard Testing
| # | Checklist Item | Evidence Required |
|---|---|---|
| 1 | Annual testing programme document exists, approved by management body | Programme document + board minutes |
| 2 | Programme covers all required test types (vuln scan, network, source code, gap analysis, physical) | Test type matrix vs. Art.26 obligations |
| 3 | Testing frequency meets minimum requirements per asset tier | Test schedule vs. criticality register |
| 4 | All Tier-1 critical ICT systems in testing scope | Asset register cross-reference |
| 5 | Vulnerability assessment conducted within last 12 months | Scan report with date and scope |
| 6 | Network security assessment conducted within last 12 months | Pen test report with scope |
| 7 | Source code review completed for critical applications | SAST report or vendor certification |
| 8 | Physical security review completed for primary data centre | Review report |
| 9 | Test findings register maintained with all open findings | Findings register with severity |
| 10 | Remediation tracking: all Critical findings closed within 30 days | Closure evidence per finding |
| 11 | Remediation tracking: all High findings closed within 90 days | Closure evidence per finding |
| 12 | ICT TSP testing inclusion assessed; alternative assurance documented where excluded | TSP assurance matrix |
| 13 | Testing function independent from development/operations | Org chart or TOR for testing function |
Art.27 TLPT
| # | Checklist Item | Evidence Required |
|---|---|---|
| 14 | NCA TLPT designation acknowledged within required timeframe | Signed acknowledgement + date |
| 15 | Scope document filed with NCA (CIFs, ICT systems, boundaries) | NCA-accepted scope document |
| 16 | Red team provider appointed and NCA notified | Provider engagement letter + NCA notification |
| 17 | Red team provider meets all Art.27(4) qualification requirements | Provider qualification pack |
| 18 | Control Team (CT) established, TOR documented | CT charter |
| 19 | Threat Intelligence (TI) provider engaged and TI report delivered | TI report (classified) |
| 20 | Red team phase conducted on production systems | Red team engagement log |
| 21 | Purple team phase completed; detection gaps documented | Purple team report |
| 22 | Final TLPT report submitted to NCA | Submission acknowledgement from NCA |
| 23 | Remediation plan agreed with NCA, milestones tracked | Remediation plan + NCA sign-off |
| 24 | Next TLPT scheduled within 3-year cycle | Forward testing plan |
| 25 | Mutual recognition assessed for cross-border group entities | Mutual recognition assessment or lead NCA confirmation |
12. Common NCA Audit Failures
Based on TIBER-EU supervisory feedback reports and NCA examination findings from 2024–2025 DORA readiness assessments:
Failure 1 — Production scope exclusion without justification Entity scoped TLPT against a staging clone rather than production systems. NCA required full re-exercise at entity's cost. Fix: TLPT must cover live production systems; staging exercises do not satisfy Art.27.
Failure 2 — CIF register not aligned with TLPT scope DORA Art.8 CIF register listed 12 critical functions; TLPT scope covered only 7. Gap was not NCA-agreed. Fix: Derive TLPT scope directly from Art.8 CIF register; document every exclusion with NCA agreement.
Failure 3 — Red team provider conflict of interest Primary managed security provider was also the red team provider. NCA rejected exercise. Fix: Red team must be independent of entities providing ongoing operational security services to the financial entity.
Failure 4 — No purple team phase Red team findings were not shared with the target team; detection capabilities were not tested. NCA required a supplemental purple team exercise. Fix: Purple team is mandatory — it is the mechanism by which the entity validates whether its detection controls work.
Failure 5 — TI report generic, not entity-specific Threat intelligence report was a commercial industry briefing rather than a targeted analysis of threats to the specific entity. NCA rejected TI phase. Fix: TI report must be tailored to the entity — its geography, business model, client base, and known threat actors. Generic reports do not satisfy TLPT RTS requirements.
Failure 6 — Remediation plan not agreed with NCA Entity produced an internal remediation plan but did not file it with the NCA or obtain NCA confirmation. Fix: Remediation plan must be agreed with and acknowledged by the NCA within the NCA's specified timeframe post-TLPT.
Failure 7 — Missed 3-year recurrence Entity completed initial TLPT in 2022 under TIBER-NL and assumed the same exercise counted for DORA. DORA TLPT RTS (in force July 2025) reset the 3-year clock. Fix: Confirm with NCA whether pre-DORA TIBER exercises reset the 3-year cycle or whether a new DORA-compliant TLPT is required.
13. 12-Week TLPT Preparation Timeline
For entities receiving initial NCA designation letters:
| Week | Activity | Owner | Output |
|---|---|---|---|
| 1–2 | Acknowledge NCA letter; assemble Control Team (CT) | CISO + Legal | CT charter, NCA acknowledgement |
| 2–3 | Pull CIF register from Art.8 asset classification | Risk team | CIF list + ICT system mapping |
| 3–4 | Define TLPT scope; identify ICT TSP inclusion decisions | CT + Risk | Scope document draft |
| 4–5 | Select red team provider (check NCA approved list) | Procurement + CISO | RT engagement letter |
| 5–6 | Engage TI provider; file scope with NCA | CT + Legal | NCA scope filing confirmation |
| 6–10 | TI phase: threat actor profiling, scenario development | TI provider | TI report |
| 10–18 | Red team phase: live attacks on production | RT provider | Red team findings log |
| 18–21 | Purple team: detection gap analysis with Target Team | RT + TT + CT | Purple team report |
| 21–22 | Draft final TLPT report | CT | Report draft |
| 22–24 | Submit final report to NCA; agree remediation plan | CT + Legal + NCA | Accepted TLPT report |
14. Infrastructure Consideration: TLPT and Cloud Sovereignty
TLPT creates a practical challenge for entities hosted on US-hyperscaler infrastructure. Red team activities against production systems that are legally located in US-jurisdiction cloud tenants generate forensic evidence that may be subject to US CLOUD Act mandatory disclosure requests to law enforcement — including forensic logs of the red team's attack techniques and tooling.
This is not a theoretical risk. TIBER-EU supervisory documents (ECB TIBER-EU White Paper, 2021) note the importance of "legal and contractual safeguards" around TLPT evidence. Entities on EU-sovereign infrastructure (cloud providers with no US parent, operating exclusively under EU jurisdiction) avoid this exposure entirely:
- Forensic logs remain under EU law
- No CLOUD Act override risk
- NCA can access evidence under standard supervisory channels
- Red team tooling and TTPs are not exposed to US subpoena risk
For DORA-regulated financial entities conducting TLPT, infrastructure sovereignty is not just a GDPR or DORA Art.28 concern — it is a TLPT operational security concern. sota.io is deployed exclusively on EU-jurisdiction infrastructure with no US parent entity, making it a Cloud Act-free deployment target for financial services workloads requiring TLPT evidence integrity.
Summary
DORA Articles 26 and 27 define a two-tier testing obligation:
- Art.26 applies to all in-scope financial entities: annual testing programme covering vulnerability assessments, network security, source code reviews, gap analyses, physical security, and scenario-based tests. All findings must be tracked and remediated.
- Art.27 applies to systemically significant entities designated by their NCA: full Threat-Led Penetration Testing using TIBER-EU methodology, live production scope, qualified external red team, TI-driven scenarios, mandatory purple team phase, final report to NCA, and agreed remediation plan.
The TLPT RTS (Commission Delegated Regulation 2024/1505) entered into force in July 2025. NCA notification letters are being issued now. Entities that have not assessed their TLPT designation likelihood, built their CIF register, or assessed red team provider options are already behind schedule.
The seven most common failures — staging scope, CIF gaps, provider conflicts, missing purple team, generic TI, no NCA remediation plan sign-off, and missed 3-year recurrence — are all avoidable with structured preparation. The TLPTChecker above provides an automated readiness assessment that covers all seven.
Part of the DORA Implementation Series. Previous: DORA Art.14 — Communication Strategy.