DORA · Art.26 · TLPT · TIBER-EU Framework

DORA TLPT Scope & Frequency Assessor

Determine if your financial entity qualifies for Threat-Led Penetration Testing (TLPT) under DORA Article 26 and assess TIBER-EU/CBEST framework obligations. Map TLPT scope, 3-year cycle, and programme readiness.

DORA Art.26 TIBER-EU 3-Year Cycle Zero PII

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Panel 01Entity Classification
Panel 02Current Testing Programme
Panel 03TLPT Programme Readiness
TLPT Scope Assessment
TLPT Requirement Basis & TIBER-EU Phases
Top Preparation Gaps
AP2 Policy Mandate · CC BY 4.0 · Post Oak Labs

Regulatory Citations

[1]Regulation (EU) 2022/2554 (DORA) Article 26 — Threat-Led Penetration Testing. Significant financial entities must conduct TLPT at least every 3 years covering all critical or important ICT systems and processes. NCAs designate which entities are subject.
[2]Commission Delegated Regulation (EU) 2024/1696 — DORA RTS on TLPT. Specifies scope, methodology, testers' requirements, results sharing, and NCA oversight of TLPT programmes under DORA. Effective from 17 January 2025.
[3]TIBER-EU Framework — ECB Intelligence-Led Red Team Testing Framework (2018, updated 2022). Three-phase approach: Preparation (scope, threat intelligence procurement), Testing (threat intelligence, red team testing), Closure (reporting, remediation, attestation). Recognised under DORA RTS.
[4]CBEST Intelligence-Led Testing Framework — Bank of England (2022 revision). UK equivalent of TIBER-EU. Entities with UK and EU presence may benefit from mutual recognition of TLPT results under DORA Art.26(7).
[5]DORA Article 3(17) — definition of significant financial entities subject to TLPT. NCAs must notify entities of TLPT designation. Criteria include systemic importance, cross-border operations, and critical function designation.