
Martin Hořický
The European regulation DORA (Digital Operational Resilience Act) introduces a new standard for ICT risk management. It requires major financial entities to regularly conduct Threat-Led Penetration Testing (TLPT), intelligence-led threat tests that simulate the capabilities of advanced organised cyber attackers (APTs).
The goal is not just to find vulnerabilities, but to validate the entire organization's ability to detect, respond and recover from an attack that matches a realistic and coordinated scenario.
Unlike the standard TLPT penetration test:
From a technical perspective, TLPT requires detailed knowledge of attack vectors and the ability to mimic the methods of real attackers exploiting zero-day vulnerabilities, social engineering, code obfuscation or supply chain attacks.
Parameter | Penetration testing | Threat-Led Penetration Testing (TLPT) |
---|---|---|
The aim of the test | Identification of vulnerabilities, misconfigurations, vulnerabilities in systems | Simulation of a real attack (APT-like), test of resistance of defence mechanisms |
Frequency | Min. 1 time per year for systems supporting key/important functions | Min. once every 3 years (for selected entities according to risk profile) |
Test management | Internal or external team; must be independent | External team or exceptionally internal red team; must have professional certifications |
Based on threats (TI - Threat Intel aka OSINT)Test Management | Not compulsory | Yes - the scenario must be based on the actual threat relevant to the institution |
Environment | Usually testing or staging | Production systems - tested for resilience in real operation |
Approval of the scope | Internally controlled | The scope shall be approved by the relevant regulator |
Focus | Component testing (applications, networks, configuration weaknesses) | End-to-end simulation - includes initial penetration, lateral movement, exfiltration, detection |
Consideration of third parties | Optional, often omitted | Mandatory if part of a critical function |
Corrective measures | Obligation to fix identified vulnerabilities, internal verification | Mandatory development of remediation plans + verification and reporting on supervision |
Reporting supervision | No - internal documentation | Yes - results, remediation plans and evidence of compliance with DORA sent to regulator |
Certification test | Not required | Yes - the regulator issues a certificate of test compliance with DORA |
Methodological framework | Undefined, may be based on OSSTMM, OWASP, etc. | Must conform to frameworks such as TIBER-EU |
Benefits | Identifies technical weaknesses | It also tests the ability to detect, react and resist a sophisticated attacker |
Institutions that are subject to DORA regulation will have to comply with requirements on both the frequency of testing and its documentation and reporting to the relevant supervisory authority (e.g. CNB, ECB). The active red-team testing phase must last for a minimum of 12 weeks.
This period is necessary to mimic hidden threat actors.
DORA also places emphasis on the quality and qualifications of those performing advanced testing. Testers must meet strict criteria, such as:
If the institution would like to use its own in-house red team, it must obtain regulatory approval and ensure the organisational independence of the in-house team (avoiding conflicts of interest). Operational threat information for the scenario must be supplied by an external provider.
BDO provides TLPT services in accordance with the specific requirements of European regulators (e.g. ECB, EBA, ESMA) and proven methodologies such as TIBER-EU, CBEST or iCAST. Our methodology combines a red teaming approach, knowledge of the regulatory framework and deep technical know-how - including scenarios that reflect sectoral threats and digital attacks in the European financial space.
Our specialists hold OSCP, CRTO, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and other certifications. They have experience in testing large banks, insurance companies and ICT providers.
We understand the regulatory frameworks and can tailor the TLPT test to what is required by legislation and sector oversight. We help with the overall cyber resilience strategy.
As an independent consultancy, we do not own our own technology and offer a truly objective assessment. Working with BDO sends a clear signal of quality and trust to regulators and clients.