DORA TLPT in Practice: A Supervisory Perspective

1. Why TLPT matters under DORA

Threat-Led Penetration Testing (TLPT) occupies a distinct place within the DORA framework. It is not intended to be another technical control, nor a more advanced form of penetration testing. Its purpose is fundamentally different.

From a supervisory perspective, TLPT is designed to test whether an organisation can withstand, respond to, and learn from severe but plausible operational disruption scenarios. The focus is not on individual system weaknesses, but on the resilience of critical services as a whole, including governance, decision-making, dependencies, and response coordination.

This distinction is often underestimated. Many organisations approach TLPT with a technical or security-testing mindset, only to discover that supervisory expectations extend far beyond tooling, vulnerabilities, or test execution. Under DORA, TLPT is explicitly positioned as a mechanism to assess operational resilience in practice, not compliance on paper.

2. TLPT under DORA: the supervisory framing

DORA introduces TLPT as a mandatory capability for certain financial entities, but it does not define it in isolation. Instead, supervisory expectations for TLPT are closely aligned with the principles established under the TIBER-EU framework, which has been developed and applied by European authorities for several years.

The TIBER-EU framework provides a practical supervisory model for intelligence-led testing, emphasising realism, governance, and learning outcomes. Under DORA, TLPT builds on this model by embedding it within a broader regulatory obligation for digital operational resilience.

While TIBER-EU has historically been associated with euro area institutions and ECB-led supervision, its relevance under DORA extends beyond those boundaries. The framework reflects supervisory thinking about how advanced testing should be conducted, governed, and used — and it strongly influences how TLPT expectations are interpreted in practice.

For organisations subject to DORA, understanding this supervisory lineage is critical. TLPT is not simply a new requirement introduced by DORA; it is the regulatory formalisation of an existing supervisory approach to resilience testing.

3. The TLPT lifecycle as supervisors see it

From a supervisory perspective, TLPT is not assessed as a single testing event. Attention is directed instead to the end-to-end lifecycle of the exercise, from initial governance decisions through to remediation and learning. Weaknesses at any stage of this lifecycle can materially undermine the value of the testing, regardless of how sophisticated the execution phase may appear.

Supervisors therefore tend to focus less on individual technical findings and more on whether the organisation demonstrates control, realism, and maturity across the full TLPT process.

Governance and preparation

Supervisory scrutiny begins well before any testing activity takes place. At this stage, the focus is on ownership, accountability, and intent.

Key questions typically include:

• Whether senior management and relevant governing bodies understand the purpose and implications of TLPT
• Whether roles and responsibilities are clearly defined across business, risk, IT, and security functions
• Whether decision-making authority is established for scope approval, risk acceptance, and remediation prioritisation

Weak governance at this stage is often reflected later in constrained scoping, limited challenge, or ineffective follow-up. From a supervisory viewpoint, TLPT readiness is closely linked to the organisation’s ability to treat the exercise as a strategic resilience assessment rather than a technical compliance task.

Scope definition and critical services

Scope definition is one of the most sensitive elements of TLPT, and a primary area of supervisory attention. The emphasis is not on the number of systems tested, but on whether the exercise meaningfully targets critical services and their supporting dependencies.

Supervisors typically assess:

• How critical services are identified and justified
• Whether end-to-end service delivery is considered, including people, processes, technology, and third parties
• Whether scoping decisions are risk-based rather than convenience-driven

Particular attention is often paid to exclusions. Where key services, systems, or providers are left out of scope, supervisors will expect clear and defensible reasoning. Repeatedly narrow or conservative scoping choices may be interpreted as an indication of limited operational resilience maturity.

Execution and intelligence-led testing

During execution, supervisory interest is less concerned with the mechanics of testing and more with realism and control.

This includes:

• The quality and relevance of threat intelligence used to design scenarios
• The extent to which testing reflects plausible attacker behaviour rather than predefined scripts
• The organisation’s ability to manage the exercise safely without diluting its effectiveness

Execution is also viewed as a test of coordination under pressure. How teams communicate, escalate issues, and make decisions during the exercise can be as informative as the technical outcomes themselves.

Remediation, reporting, and learning

The final phase of the TLPT lifecycle is often where supervisory expectations are least well met. While execution may receive significant attention, remediation and learning frequently receive less sustained focus.

Supervisors will typically look for:

• Clear prioritisation of findings based on service impact and risk
• Senior oversight of remediation plans and timelines
• Evidence that lessons learned are incorporated into broader resilience and control improvements

TLPT is not expected to eliminate risk. However, it is expected to drive measurable learning and improvement. Where findings are repeatedly deferred, narrowly addressed, or treated in isolation, supervisors may question whether the organisation is deriving genuine resilience value from the exercise.

4. Where firms typically misjudge TLPT readiness

Despite increasing familiarity with TLPT concepts, supervisory experience suggests that many firms continue to misjudge their level of readiness. These misjudgements are rarely the result of a single gap; they more often reflect underlying assumptions about the purpose and scope of TLPT.

One common issue is the treatment of TLPT as a predominantly technical exercise. While technical execution is an important component, supervisors consistently view TLPT as a test of organisational resilience rather than system security alone. Where focus remains narrowly on vulnerabilities and exploits, broader questions of service continuity, governance effectiveness, and decision-making under stress can be left insufficiently explored.

A second area of misjudgement relates to senior ownership. In some cases, TLPT is delegated to specialist teams with limited engagement from senior management beyond formal approval points. From a supervisory perspective, this can indicate a disconnect between the strategic importance of TLPT and its operational execution. Effective TLPT requires sustained senior involvement, particularly when making trade-offs around scope, risk acceptance, and remediation prioritisation.

Third-party dependencies present another frequent challenge. While DORA explicitly emphasises ICT third-party risk, organisations may still struggle to reflect this fully in TLPT scoping and execution. Supervisors tend to look closely at whether critical external providers are meaningfully incorporated into testing scenarios, rather than treated as peripheral considerations or excluded on practical grounds.

Finally, firms often underestimate the effort required after execution. Remediation planning, validation, and learning are sometimes approached as follow-on activities rather than integral components of TLPT. Where findings are addressed narrowly or deferred without clear rationale, supervisors may question whether the exercise has led to genuine improvements in operational resilience.

Taken together, these patterns suggest that TLPT readiness is less about technical sophistication and more about organisational maturity. Firms that approach TLPT as a one-off requirement may meet minimum expectations, but they are unlikely to demonstrate the depth of resilience insight supervisors increasingly expect under DORA.

5. What “TLPT readiness” actually means

From a supervisory standpoint, TLPT readiness is rarely assessed as a binary state. It is not defined by the completion of a single exercise, nor by the absence of findings. Instead, it reflects an organisation’s capacity to engage with TLPT as a learning mechanism and to translate outcomes into sustained improvements in operational resilience.

Readiness is therefore closely linked to governance maturity. Firms that demonstrate clear ownership, informed decision-making, and realistic prioritisation of remediation tend to be viewed more favourably than those that focus primarily on technical depth or test complexity. Supervisors typically look for evidence that TLPT outcomes are understood and acted upon beyond specialist teams, particularly where trade-offs between risk, resilience, and operational continuity must be made.

Operational understanding is another key dimension. In practice, organisations often use structured diagnostics, such as a DORA Readiness Scorecard, to establish a baseline view of readiness before or alongside TLPT activity.

TLPT-ready organisations are generally able to articulate how critical services are delivered in practice, how dependencies interact under stress, and where vulnerabilities may emerge across organisational boundaries. This understanding allows testing scenarios to be scoped and interpreted in a way that meaningfully reflects real-world disruption risk.

Finally, readiness is increasingly associated with continuity and progression. Supervisors do not expect TLPT to eliminate risk, but they do expect each exercise to build on the last. Where organisations can demonstrate that insights from previous testing have informed governance decisions, control enhancements, and future testing design, TLPT is more likely to be seen as an embedded resilience capability rather than a regulatory obligation.

In this sense, TLPT readiness under DORA is less about passing a test and more about sustaining a credible approach to resilience assessment over time.

Scope note and sources

This article provides interpretive guidance on supervisory expectations relating to Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA). It is intended to support understanding of how regulatory requirements may be viewed and applied in practice.

Supervisory framing and lifecycle considerations discussed above draw in particular on the TIBER-EU framework and related implementation guidance, including the TIBER-EU SSM Implementation Guide: How to implement the TIBER-EU framework for the DORA TLPT of significant institutions (European Central Bank, 2025).

This article does not constitute legal advice and should not be relied upon as a substitute for formal regulatory guidance or supervisory communication.