DORA Article 26 establishes threat-led penetration testing (TLPT) as a mandatory requirement for the most significant financial entities operating in EU markets. Unlike conventional penetration testing — which evaluates defined systems against known vulnerability classes — TLPT is a controlled, intelligence-driven attack simulation that models the tactics, techniques, and procedures of real threat actors targeting the specific institution. The first designated TLPT cycles for in-scope entities began in 2026, and the Joint Committee of the European Supervisory Authorities (ESAs) — EBA, EIOPA, and ESMA — published the Regulatory Technical Standard on TLPT in 2024, based on the TIBER-EU framework. For Swiss banks and insurers with material EU subsidiary operations, the question is no longer whether TLPT applies to them but whether they have built the capability to execute it.
Who Is in DORA TLPT Scope — and How Designation Works
DORA Article 26 does not apply to every financial entity covered by the regulation. TLPT is designated for the most systemically significant entities — broadly, those whose disruption would have material impact on EU financial stability. National competent authorities (NCAs) in each member state identify designated entities based on criteria including systemic relevance, cross-border activity, and ICT risk profile. Supervisory estimates suggest that designated entities represent approximately 20 percent of DORA-covered financial institutions by count, but a substantially higher proportion by systemic weight.
For Swiss financial groups, TLPT designation operates at the EU subsidiary level. A Swiss parent that is not itself a DORA-covered entity will have its EU banking or insurance subsidiaries assessed independently for designation by the NCA of the member state where the subsidiary is authorised. Swiss groups that have structured their EU operations through multiple subsidiary entities — a common pattern for banks providing both retail and investment banking services — may have two or more separately designated entities requiring distinct TLPT programmes.
TLPT designation is not necessarily permanent. NCAs reassess designation status on a rolling basis, and entities can be added to or removed from the designated pool as their systemic profile changes. Swiss financial groups that have grown their EU subsidiary footprints through acquisitions or organic expansion in recent years should verify current designation status directly with the relevant NCA rather than assuming the pre-acquisition assessment remains valid.
What TLPT Actually Requires — The TIBER-EU Framework in Practice
TIBER-EU — the framework that underpins DORA's TLPT standard — defines a three-phase test structure that distinguishes it fundamentally from conventional penetration testing. The preparation phase involves the entity engaging a Threat Intelligence Provider (TIP) to produce a targeted threat intelligence report specific to the institution: identifying which threat actor groups are most likely to target it, which attack techniques those actors use, which of the entity's critical functions are highest priority targets, and what the realistic attack paths to those functions look like. This intelligence report drives the entire test; it is not produced by the testing team but by a separate accredited TIP under NCA oversight.
The test phase uses the threat intelligence to direct a red team — a separate accredited provider — in a controlled attack simulation against the entity's live production environment, targeting the critical functions identified in the intelligence report. The red team operates against real systems, not test environments, using realistic attacker techniques scoped to the intelligence assessment. The blue team (the entity's own security operations) is unaware that a test is in progress — they respond to the red team's activity as if it were a genuine attack. This blind testing requirement is what makes TLPT fundamentally different from purple-team exercises or controlled penetration tests that the security team knows are happening.
The closure phase documents the red team's findings, the blue team's detection and response performance, and remediation requirements. The NCA receives a summary report; the entity receives the full technical findings under confidentiality requirements. Remediation of critical findings is subject to follow-up assessment.
Why Swiss-Linked Entities Are Under-Prepared
Swiss financial institutions have mature penetration testing programmes built around established frameworks — FINMA Circular 2023/1 on operational risks includes requirements for regular testing of ICT security measures, and most larger institutions maintain annual penetration testing engagements. This existing testing posture creates a false sense of readiness for DORA TLPT. The differences are operationally significant.
Standard penetration testing engagements are scoped by the entity, test specific systems or applications, and are conducted with full knowledge of the security team. The testing team is typically a commercial provider selected by the entity's security function. Test findings go directly to the security team for remediation. The entire exercise is an internal governance activity with no regulatory oversight of methodology or findings.
DORA TLPT operates under NCA oversight of provider accreditation, test scope, and findings. The TIP and red team must be separately accredited under national competent authority programmes. The test scope is driven by the threat intelligence output, not by the entity's own assessment of what to test. Blue team blindness is mandatory. The NCA receives outcome reports. An entity that has run annual pen tests for a decade has not run a TIBER-EU-aligned TLPT, and the gap in complexity, governance, and cost is substantial.
◆ Key Takeaway
DORA TLPT is not a more rigorous version of conventional penetration testing — it is a structurally different exercise requiring accredited providers, NCA oversight, blind blue team conditions, and threat intelligence-led scoping. Swiss financial groups whose EU subsidiaries are designated for TLPT but whose security teams have only conventional pen test experience will encounter a capability and procurement gap that cannot be closed quickly. The time to assess readiness is now, not when NCA notification arrives.
Preparing for TLPT — A Practical Roadmap for Swiss Financial Groups
The preparation timeline for a first TLPT engagement is substantially longer than for a conventional penetration test. Identifying accredited TIP and red team providers, scoping the critical functions that will be in scope for the test, coordinating with the NCA on test parameters, and conducting the threat intelligence phase before the red team engagement begins typically requires six to twelve months of lead time for a well-prepared entity. Entities that have not started this process and receive NCA designation notification are already behind the preparation curve.
Critical functions — defined under DORA as ICT-supported business functions whose disruption would materially impair financial services delivery — must be identified and documented before TLPT scoping can begin. For Swiss financial groups, this typically means mapping the EU subsidiary's core banking, payment processing, trading, and client-facing digital service infrastructure to identify which systems, if compromised, would constitute a material disruption. This mapping exercise is itself a DORA Article 6 requirement under the ICT risk management framework, and entities that have not completed it cannot begin meaningful TLPT preparation.
- Confirm TLPT designation status for each EU subsidiary with the relevant NCA — do not assume non-designation; request written confirmation and understand the NCA's reassessment timeline.
- Complete the critical functions mapping under DORA Article 6 if not already done — this is both a standalone ICT risk management requirement and the prerequisite for TLPT scoping.
- Identify accredited TIBER-EU or DORA-compliant Threat Intelligence Providers and red team providers in the relevant member state; accreditation lists are maintained by NCAs but differ by country — provider availability is limited and lead times for engagement are long.
- Assess your blue team's capability to respond to a realistic, unannounced attack against production systems — gaps in detection coverage, SIEM rule quality, or incident response playbooks identified during TLPT will be in the NCA report; finding and addressing them in advance reduces regulatory exposure.
- Brief FINMA on your EU subsidiary's TLPT obligations if FINMA has not specifically addressed TLPT in your supervisory dialogue — FINMA does not currently mandate TIBER-EU-aligned testing for Swiss entities, but DORA obligations on EU subsidiaries create a cross-border governance coordination requirement.
- Allocate dedicated budget for TLPT — accredited TIP and red team engagements cost substantially more than standard penetration tests; budget planning that does not account for TLPT as a distinct line item will not survive contact with actual provider quotes.
DORA TLPT is the most operationally demanding requirement in the regulation — more technically complex than incident reporting, more governance-intensive than ICT risk management documentation, and more resource-intensive than third-party risk assessments. Swiss financial groups that have treated DORA compliance as a documentation exercise are encountering the limits of that approach as TLPT designation cycles begin and NCA engagement becomes direct. The groups that have mapped their critical functions, assessed their blue team capabilities, and begun provider identification are positioned to execute a credible first TLPT cycle. The ones that have not are accumulating a preparation gap that only time and organised effort can close.