Skip to content
Knowledge base Updated: May 16, 2026

DORA and Penetration Testing in the Financial Sector: The Role of TLPT in Ensuring Compliance

The DORA regulation is a rigorous new reality for the entire European financial sector. The goal is no longer just security, but digital operational resilience. Discover what specific and advanced testing requirements DORA places on your institution and how nFlo's professional testing services, incl

Grzegorz Gnych Grzegorz Gnych

Europe’s financial sector, the lifeblood of the economy, has long been the target of the most sophisticated cybercrime groups. In response to the growing scale and complexity of these threats, the European Union has introduced a landmark Financial Sector Digital Operational Resilience Regulation, known as DORA (Digital Operational Resilience Act). This is not just another industry-specific regulation. It’s a comprehensive, unified and highly demanding set of rules that fundamentally changes the approach to technology and security at every financial institution - from the largest banks to insurance companies to innovative FinTech startups and cryptocurrency service providers.

The goal of DORA is no longer just to prevent incidents. The goal is to ensure that the financial sector as a whole is able to withstand, respond to and restore its functions even during a major cyber attack. For **Chief Risk Officer ** i **Compliance Officer **, DORA creates a new mandatory governance framework. For the CISO and IT Director, it defines a new, much higher standard for processes and technology, especially in the area of testing. For the Board of Directors, it is a direct responsibility to ensure that the institution is able to survive in the digital crisis. In this article, we’ll take an in-depth look at DORA’s testing requirements, explain the key role of penetration testing and advanced TLPT testing, and show how nFlo is supporting financial institutions on this complex journey toward true digital resilience.

Shortcuts

What is the DORA regulation and what are its main pillars?

DORA (Regulation 2022/2554) is a binding and directly applicable law in all EU countries that aims to harmonize and strengthen rules for digital risk management in the financial sector. It ends the piecemeal approach of individual member countries, creating a single, consistent standard for all.

One set of rules for the entire EU financial sector

The scope of DORA is extremely broad and includes virtually all licensed financial institutions. This group includes banks, insurance and reinsurance companies, investment firms, payment system operators, cryptocurrency service providers and even crowdfunding platforms. Crucially, DORA also includes key third-party providers of ICT services to the financial sector, such as cloud or data center providers, representing a revolutionary change in the approach to third-party risk management.

Five pillars of digital operational resilience

The structure of the regulation is based on five interrelated pillars that together form a comprehensive resilience management system:

  • ICT Risk Management. It’s a foundation that requires institutions to have a robust management framework that includes identifying, protecting, detecting, responding and restoring systems.

  • Reporting and classification of ICT-related incidents. DORA introduces uniform standards on how, when and to whom serious digital incidents should be reported.

  • Testing digital operational resilience. This is a key, proactive element that requires companies to test their defenses regularly and at an advanced level.

  • Managing risk from third-party ICT service providers. Financial institutions are fully responsible for the risks generated by their suppliers and must have rigorous processes to manage this area.

  • Providing information and analytical data on threats. The regulation encourages the creation of mechanisms for the voluntary exchange of risk information between financial institutions to strengthen the resilience of the entire sector.

Resilience, not just security - a key paradigm shift

To fully understand DORA, it is important to grasp the subtle but crucial difference between security and resilience. Traditional cyber security often focuses on prevention - on building walls to prevent intrusion. DORA makes the more realistic assumption that walls, even the highest ones, can be breached. Operational resilience is an organization’s ability to continue providing critical services to its customers, even while an attack is underway. It is the ability to withstand the impact, limit the damage, maintain critical functions in a fail-safe mode and quickly return to full operations once the threat has subsided. This paradigm requires an entirely new approach to systems architecture, business continuity planning and, crucially, how to test.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

What specific testing requirements does DORA introduce?

Chapter IV of DORA, devoted entirely to testing, is one of the most detailed and demanding sections of the regulation. It introduces a tiered testing program that must be tailored to an institution’s size and risk profile.

Basic testing program - a foundation for all

Article 24 of DORA stipulates that all covered financial entities must establish and maintain ** a “robust and comprehensive digital operational resilience testing program**. It must be part of an ICT risk management framework and include an appropriate set of assessments and tests. At a minimum, this program should include annual assessment and testing of all critical ICT systems. The core set of tests includes, among others, vulnerability assessments and scans, open source software analysis, network security assessments, logic analysis and, explicitly mentioned, standard penetration testing. This means that regular penetration testing is no longer just good practice, but is becoming a legal obligation for the entire EU financial sector.

Advanced requirement - threat-based penetration testing (TLPT)

For the largest and most systemically important financial institutions, DORA introduces a much more demanding form of testing, known as Threat-Led Penetration Testing, or TLPT. Under Article 26, designated “significant” financial entities must conduct such advanced testing at least once every three years. TLPT is not a standard pentest. It is a highly specialized exercise that:

  • It is based on threat analysis (Threat-Led): An attack scenario is built based on actual, up-to-date threat intelligence (threat intelligence) on tactics, techniques and procedures (TTPs) used by criminal groups that realistically threaten the financial sector.

  • It focuses on critical functions: The goal is not to find all possible vulnerabilities, but to test whether a simulated, realistic attack is capable of disrupting an organization’s critical business functions (e.g., payment processing, transaction systems).

  • It involves production systems: These tests are conducted on live production systems, which requires extreme care and precise planning.

  • Is a controlled Red Team vs. Blue Team exercise: TLPT is, in practice, a formalized and regulated Red Teaming exercise. It involves an attacking team (Red Team) that conducts the simulation, and a defending team (Blue Team) on the side of the financial institution, all supervised by a controlling team (White Team). The methodology for conducting TLPT is largely based on the existing, mature TIBER-EU (Threat Intelligence-based Ethical Red-teaming) framework.

How does nFlo’s standard penetration testing fit into DORA’s overall requirements?

Although TLPT is the most advanced requirement, it is the regular standard penetration testing that is the absolute foundation of DORA compliance for any financial institution.

Meeting the fundamental requirements of the test program

As mentioned, Article 24 of DORA explicitly mentions penetration testing as one of the key elements of a basic testing program. Regular penetration testing of applications (including online and mobile banking systems), network infrastructure and cloud environments is the primary way to identify and understand existing technical vulnerabilities. It is the most fundamental and irrefutable way to meet the basic testing requirements of the regulation.

Risk identification as an input to resilience strategies

The results of penetration testing provide invaluable data that feeds the entire ICT risk management framework required by the first pillar of DORA. A detailed report that not only identifies vulnerabilities, but also assesses their risk in a business context, allows the institution to make informed decisions. As a result, **Chief Risk Officer ** can precisely allocate resources and budget to fix those vulnerabilities that pose the greatest threat to the operational resilience of the entire organization.

Preparation and prerequisite for advanced TLPT testing

No organization should approach an advanced TLPT test if its basic security hygiene is at a low level. It would be a waste of time and money, as the attack team would achieve its goal by exploiting simple, well-known vulnerabilities. Regular, rigorous penetration tests act as a “training camp” before the championship. They allow systematic identification and remediation of these basic and intermediate vulnerabilities, strengthening the overall security posture. This way, when the time comes for TLPT, the test can actually focus on verifying the ability to defend against advanced stealthy attacks, rather than pointing out simple errors.

How can nFlo support financial institutions in their journey toward DORA compliance?

With its deep specialization in offensive testing, nFlo is a natural partner for financial institutions at every stage of their journey toward compliance with DORA testing requirements.

Build a solid foundation through regular penetration testing

Our core application, API, network and cloud penetration testing services allow us to effectively implement and maintain the basic testing program required by Article 24 of DORA. We help our financial sector clients build a mature vulnerability management process, which is the absolute foundation of any resilience strategy.

Evolution towards red teaming and TLPT support

Our advanced expertise in Red Teaming services is fully aligned with the TLPT testing methodology and philosophy. Thanks to our experience in emulating adversaries and running covert, targeted campaigns, we are able to act as a professional, third-party provider of the attack team (Red Team) in formal TLPT exercises that conform to the TIBER-EU framework. We can assist your institution not only in preparation, but also in conducting this most demanding test.

Partnering to build resilience, not just compliance

We understand that the goal of DORA is not simply to have certifications or “tick off” points in an audit. The ultimate goal is to build an organization that is genuinely resilient to digital shocks. That’s why our approach is always a partnership. We don’t just find problems, we help you understand their causes and choose the most effective strategies to solve them. We support our clients in building sustainable, systemic resilience, which is the best guarantee not only of DORA compliance, but also of long-term security and stability in an increasingly unpredictable world.

Key Findings

Partnering on the road to compliance: nFlo offers a full spectrum of testing services, from fundamental penetration testing to advanced Red Teaming services, supporting financial institutions every step of the way to build resilience and achieve DORA compliance.

DORA is the new standard for resilience: The DORA regulation introduces a uniform and rigorous requirement for the entire EU financial sector to build digital operational resilience - the ability to operate even during a cyber attack.

Multi-tiered testing program: DORA requires all financial institutions to have a comprehensive testing program, the cornerstone of which is regular penetration testing.

TLPT as top requirement: For the largest entities, DORA is introducing mandatory advanced threat-based penetration testing (TLPT), which is a formalized Red Teaming exercise.

Standard testing as a foundation: Regular penetration testing is not only a basic compliance requirement, but also a key component to prepare an organization for more advanced TLPT testing.

TIBER-EU v2.0 mapping to TLPT under DORA — what the 2026 amendment changes

In practice, the implementation of the full TLPT regime under DORA relies on the TIBER-EU v2.0 (Threat Intelligence-based Ethical Red-teaming European Framework) published by the European Central Bank in the 2025 update. TIBER-EU v2.0 introduced significant changes compared to v1.0 from 2018: an expanded Threat Intelligence (TTI) phase with mandatory verification of TI provider certification by the national TCT team (TIBER Cyber Team — in Poland KNF/KSF); explicit mapping of stages to MITRE ATT&CK Enterprise v15 (Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact); and a new Replay/Purple Teaming stage after the Red Team Test, in which the Blue Team and Red Team jointly replay attack scenarios to increase the test’s educational value.

RTS on TLPT (Regulatory Technical Standards) — published by the ESAs (EBA + EIOPA + ESMA) in July 2024 and subject to the so-called 2026 amendment (an amendment currently being processed by the EBA in Q1 2026) — clarifies requirements that until now were left to TIBER-EU. The most important changes under the 2026 amendment: (1) minimum scope of Critical or Important Functions — all critical business processes (clearing, settlement, payments, custody, core banking) MUST be covered by at least one test in the 3-year cycle, with no exclusions possible without justification to the regulator; (2) pool of certified providers requirement — national supervisory authorities maintain a list of accredited TI and RT providers, and the financial entity must document the selection process from that list; (3) threshold for financial entities — raising the materiality threshold that qualifies an entity for mandatory TLPT (smaller entities in corporate groups may be excluded if the group as a whole undergoes TLPT at the consolidated level); (4) cross-border coordination — for entities operating in multiple EU countries, a single TLPT conducted under the supervision of the lead authority is accepted by all other national supervisory authorities, eliminating duplication.

For financial institutions subject to mandatory TLPT under DORA, our penetration testing service covers the full methodology compliant with TIBER-EU v2.0 + RTS on TLPT, from the Threat Intelligence phase through Replay. If you are only beginning to prepare your institution for the DORA regime and do not yet have a complete ICT/Critical Functions map, start with our NIS2 compliance service, which builds the foundation of asset and risk inventory — DORA and NIS2 are complementary, and many requirements (incident management, supplier risk) are shared.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

Tags:

Compliance Cybersecurity Penetration Testing Vulnerabilities SOC Finance & Banking

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist