DORA First Year: Lessons from 15 Months of Threat-Led Penetration Testing

Fifteen months after the Digital Operational Resilience Act became applicable, the pattern of supervisory expectations around Threat-Led Penetration Testing is finally visible. Early anxiety that DORA would demand a TIBER-EU exercise from every in-scope entity has dissipated. In its place is a clearer and in some ways more demanding picture: a narrower set of organisations are required to conduct TLPT, but for those that are, the expectations are sharper than many firms prepared for.

This article draws on conversations with TLPT providers, threat intelligence firms, and supervised entities across the euro area. It focuses on what has actually happened since January 2025, rather than on what the regulation abstractly requires.

A Recap of DORA's TLPT Requirements

DORA Article 26 requires advanced testing by means of TLPT for a subset of financial entities determined by competent authorities. The criteria include size, risk profile, and systemic importance. In practice, this captures significant credit institutions, key payment and clearing infrastructure, major investment firms, large insurers, and critical ICT third-party providers designated by the European Supervisory Authorities.

For in-scope entities, TLPT must be conducted at least every three years on a rolling basis. The test must cover critical or important functions, involve realistic threat scenarios grounded in current threat intelligence, and be conducted by qualified external testers. Internal testers can participate but cannot lead. Threat intelligence providers and red team providers must meet separate sets of criteria. The test concludes with a formal replay and remediation phase that brings defenders into collaborative review of findings.

The European Supervisory Authorities published the final Regulatory Technical Standards on TLPT in July 2024, and these RTS now define the operational framework. They draw heavily on TIBER-EU but add some specifically DORA-aligned elements around cross-border testing, third-party provider coverage, and supervisory engagement.

How TLPT Differs From CBEST and TIBER-EU

These three frameworks are often lumped together, but they are not interchangeable.

CBEST is the UK framework, administered by the Bank of England, for intelligence-led penetration testing of significant UK financial institutions. It is conducted under FCA and PRA supervision with CREST-accredited providers. CBEST was an early mover in this space and has been refined over multiple cycles.

TIBER-EU is the European Central Bank's framework for intelligence-led red team testing, published in 2018 and adapted by national central banks across the euro area. It is voluntary at the EU level, though several national implementations are mandatory for large banks. TIBER-EU provides a common methodology that has shaped DORA's approach.

DORA TLPT builds on TIBER-EU but extends its scope in important ways. It covers a broader range of financial entities than TIBER-EU typically did, including insurers, clearing houses, and critical ICT third-party providers. It introduces formal cross-border coordination requirements for entities operating across multiple member states. It integrates TLPT into a broader operational resilience framework rather than treating it as a standalone exercise.

Practically, organisations that had completed TIBER-EU exercises in 2023 or 2024 have typically been able to reuse threat intelligence methodology, red team composition, and scenario design for their DORA TLPT. Organisations that had completed CBEST can similarly reuse most of the approach, though the cross-border and third-party coverage dimensions often require adaptation.

What Regulators Have Flagged

The pattern of regulatory feedback from the first year of DORA TLPT is now reasonably consistent across supervisory authorities.

Scope of critical or important functions is the most frequent point of contention. Firms have tended to define critical functions narrowly, focusing on the most obvious customer-facing services. Supervisors have pushed back, requiring broader coverage that includes internal systems whose compromise could cascade into critical functions, including identity providers, key management infrastructure, and administrative access paths.

Third-party coverage has been persistently under-scoped. DORA treats critical ICT third-party providers as an extension of the regulated entity's operational perimeter. TLPT engagements have frequently excluded third-party systems on the grounds that the provider controls them. Supervisors have increasingly required that the TLPT scenario include at least a representative path through key third-party services.

Threat intelligence quality has been uneven. The DORA RTS require threat intelligence grounded in current, actionable information about threats to the specific entity. In practice, some threat intelligence reports have been generic enough that they could have applied to any institution in the sector. Supervisors have flagged this and are increasingly asking for evidence of entity-specific analysis.

Replay phase documentation has been weaker than expected. The replay phase, where the red team walks through the exercise with the blue team and management, is supposed to produce specific, actionable remediation commitments. Early replay reports often contained generic recommendations without clear ownership or timelines. Supervisors have sharpened their expectations here.

Common Scoping Errors

On the technical side, several scoping errors have recurred.

Treating the corporate IT environment as out of scope is a common mistake. If the threat scenario involves an attacker gaining initial access through phishing, the corporate environment is the first network the attacker lands on, and excluding it breaks the realism of the exercise.

Excluding OT and specialised environments, particularly in clearing and settlement entities, has been flagged. These environments are often where critical functions actually run, and the TLPT scope needs to reflect that.

Under-scoping cloud and SaaS coverage is a recurring issue. Modern financial entities run substantial portions of their operations in AWS, Azure, and GCP, and in SaaS services like Microsoft 365 and Okta. A TLPT scope that covers on-premise systems while treating cloud as out of scope misses the paths most real attackers now use.

Excluding internal network testing on the grounds that initial access is already assumed is another error. DORA TLPT expects realistic full-chain testing, not just assumed-breach scenarios for part of the kill chain.

Cost Expectations

A full DORA TLPT engagement typically costs between 150,000 and 500,000 euros, depending on scope, duration, and the size of the entity.

At the lower end, 150,000 to 250,000 euros covers a mid-sized supervised entity with a relatively contained ICT footprint. This typically includes threat intelligence phase, red team phase, and replay phase over a timeline of four to six months.

The middle band, 250,000 to 400,000 euros, covers larger banks, insurers, and infrastructure operators. These engagements typically involve multiple scenarios, deeper third-party coverage, and longer red team phases. Timelines of six to nine months are common.

At the top end, 400,000 to 500,000 euros and above applies to systemically important institutions, major cross-border groups, and critical ICT third-party providers. These engagements often run nine to twelve months, involve multiple red team providers coordinated under a single lead, and include substantial supervisory engagement throughout.

These costs exclude the significant internal time commitment required from the testing entity. The test manager function alone typically absorbs 20 to 40 percent of a full-time role for the duration of the engagement.

Providers Specialising in DORA Work

Only a subset of the penetration testing market can deliver DORA TLPT to the required standard. The skills overlap significantly with CBEST and TIBER-EU work, so firms with a track record in those frameworks are the most natural candidates.

In the UK, NCC Group, MDSec, PwC, Nettitude, and Cyberis hold CBEST accreditation and are active in DORA TLPT work for UK-linked European entities. In the euro area, several firms with TIBER-EU track records have adapted their offerings, including PwC, EY, KPMG, Deloitte, F-Secure and WithSecure, and specialist red team firms including Cure53 and SySS for the German market.

For organisations navigating DORA for the first time, our compliance guide at /compliance/dora covers the full regulatory framework. Our TIBER-EU overview at /compliance/tiber-eu covers the sibling framework that DORA TLPT is built on. Our directory lists providers with demonstrated threat-led penetration testing capability across the UK, Germany, France, the Netherlands, Ireland, and other European markets.

The First Cycle Closing, the Second Beginning

With DORA's triennial cycle, the first wave of TLPT engagements under the regulation will conclude through 2026 and 2027. The lessons from the first cycle are already shaping the second. Scope is widening. Threat intelligence is being taken more seriously. Third-party coverage is becoming less negotiable. Replay quality is being scrutinised.

For organisations planning their first DORA TLPT, the best advice from providers and supervisors alike is consistent: start the planning at least nine months before the intended test window, invest in the test manager function, engage supervisors early, and budget for a scope that covers the full operational reality of the institution, including its third-party dependencies and its cloud footprint.