Threat-Led Penetration Testing in Compliance with DORA

Advanced Red Teaming for Regulated Financial Institutions.

Get in touch
The EU regulation DORA (Digital Operational Resilience Act) sets a new standard for managing ICT risks. It mandates that significant financial entities conduct Threat-Led Penetration Testing (TLPT) — intelligence-based tests that simulate the capabilities of advanced persistent threat actors (APTs).
Unlike traditional penetration testing, TLPT aims not only to identify vulnerabilities, but also to validate the organization’s ability to detect, respond to, and recover from a realistic and coordinated cyberattack.

What is TLPT and Why Are Standard Penetration Tests No Longer Enough?
  • Full-spectrum attack simulation: intrusion, lateral movement, privilege escalation, persistence, data exfiltration.
  • Based on current threat intelligence and sector-specific scenarios.
  • Requires detailed scope definition, rules of engagement, identification of critical systems, and test objectives.
Technically, TLPT demands deep knowledge of adversarial tactics — including exploitation of zero-days, social engineering, code obfuscation, or attacks on the supply chain.


Key Differences: TLPT vs. Standard Penetration Testing


What Does DORA Require in Relation to TLPT?
  • Tests must reflect the current threat landscape, not a generic scenario
  • Scope must include critical functions/systems, the failure of which would impact stability
  • TLPT must be performed by external, independent, and certified testers
  • Findings must lead to remediation, possible re-testing, and regulatory reporting

For entities under DORA, compliance includes strict control of test frequency, documentation, and communication with authorities (e.g. ECB, CNB). The active red-teaming phase must last at least 12 weeks, to realistically emulate stealthy threat actors.


What are the requirements for testing teams?
DORA also emphasizes the quality and qualifications of entities performing advanced tests. Testers must meet strict criteria, such as:
  • They must be renowned experts, with proven technical and organizational skills and specific knowledge;
  • Testers must be certified and have completed independent audits or confirmation of proper risk management during testing;
  • They must have adequate liability insurance in case of damage caused.

If the institution would like to use its own internal red team, it must obtain the approval of the regulator and ensure the organizational independence of the internal team (avoid conflicts of interest). Operational information about threats for the scenario must be provided by an external provider.
TLPT Workflow: What Does Testing Look Like in Practice?

Identify target applications, internal access, IPs, DNS, and metadata.

Analyse available application/system data, services, versions.

Monitor traffic to identify possible data leaks or exposures.

Scan for active hosts, ports, APIs, services.

Identify users, groups, accessible functions and permissions.

Scan and assess OS, database, and application layer vulnerabilities using tools like Qualys, Nessus, Burp Suite, etc.

Attempt exploitation to gain unauthorized access or extract data.

Further explore the environment, escalate privileges, pivot.

Deliver a comprehensive report with findings, recommendations, evidence.

Clear testing traces, restore the system to its original state, minimize impact.

Why Choose BDO?
  • Regulatory Alignment: we execute TLPT in accordance with requirements from ECB, EBA, ESMA, and frameworks such as TIBER-EU. 
  • Red Team Expertise: our methodology combines deep red teaming, regulatory knowledge, and technical excellence tailored to the financial sector.
  • Independence & Trust: as an advisory firm with no vendor lock-in, BDO provides objective, regulator-trusted evaluation.
  • Certified Red Team with Real-World Experience: our specialists hold top-tier certifications such as OSCP, CRTO, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO, and more. We have successfully tested major banks, insurers, and ICT providers across Europe.

Originial content provided by BDO Czech Republic

CONTACT US

Key Contacts

Get in touch with our experts

Ivan Spiteri Director Technology BDO Malta

Ivan Spiteri

Director of Technology Advisory & Assurance
View bio
Ben Zahra BDO Malta

Benjamin Zahra

Technology Advisory & Assurance Assistant Manager
View bio

Related Insights

Take a look at our related news articles