The European Union’s Digital Operational Resilience Act (DORA) is driving a transformative shift in how financial institutions across Europe prepare for and defend against cyber threats.
At the core of this new regulation is Threat-Led Penetration Testing (TLPT), a methodology designed to simulate real-world attacks and identify vulnerabilities before malicious actors exploit them.
“TLPT goes far beyond traditional compliance checks,” according to Maurice Schubert, a partner at Deloitte in Luxembourg.
“It’s an intelligence-driven exercise that allows institutions to truly understand how a threat actor might penetrate their systems. That insight is invaluable in today’s dynamic threat landscape,” Schubert explained.
Unlike standard penetration tests, TLPT mirrors the tactics, techniques, and procedures of sophisticated adversaries. This realism is critical, Schubert stressed, because “attackers are constantly evolving.”
He added: “Static models can’t keep up, which is why TLPT leverages real-time intelligence and adversarial simulation to stay one step ahead.”
TIBER-EU
According to Schubert, frameworks like TIBER-EU, the Threat Intelligence-Based Ethical Red Teaming model, have laid the foundation for DORA’s TLPT requirements.
TIBER-EU, which stands for Threat Intelligence-Based Ethical Red Teaming, is a common European framework, developed by the European Central Bank together with national authorities, for running realistic, intelligence-led red-team tests against live production systems, originally aimed at financial entities.
Its goal is to improve cyber resilience by simulating sophisticated, real-world attackers based on bespoke threat intelligence, then testing detection, response and recovery in a controlled way.
Under DORA, financial entities classified as critical must undergo a full TLPT every three years, conducted by independent and qualified external teams.
“This isn’t just another audit. It’s a hands-on, simulated cyberattack that exposes the true resilience of an organisation,” Schubert said. “It identifies paths to compromise that would likely go unnoticed in routine testing.”
“From dark web chatter to recent breach patterns, the intelligence feeds are what make threat-led pentesting credible and effective.”
– Maurice Schubert
TLPT begins with a rigorous planning and scoping phase, where institutions identify their critical assets and define regulatory and operational requirements.
“The goal is to tailor the test to what really matters, the most valuable systems and data,” Schubert wrote in a recent Deloitte analysis.
What makes TLPT especially potent is its integration of up-to-date threat intelligence. “We’re not guessing how attackers operate, we’re watching them. From dark web chatter to recent breach patterns, the intelligence feeds are what make TLPT credible and effective,” Schubert explained.
This intelligence guides a red team through reconnaissance and emulation of real threat actors. “We see lateral movement, privilege escalation, and stealth techniques that challenge even mature cybersecurity setups,” said Schubert.
The findings are then compiled into a detailed report, highlighting exploited weaknesses and delivering actionable remediation strategies.
Operational complexity
The impact of TLPT on cyber resilience is clear. “Institutions come out of these exercises with a radically improved understanding of their threat landscape and response readiness,” Schubert argued.
He pointed to improvements in incident response protocols, SIEM configurations, and team collaboration through Purple Teaming, where offensive (red) and defensive (blue) teams work in tandem.
However, implementing TLPT is not without hurdles.
“Operational disruption is a legitimate concern. These tests can’t be run without careful orchestration and built-in safeguards like kill-switch mechanisms,” Schubert said, while also emphasising the difficulty of sourcing expert red teamers who can emulate advanced threat actors credibly and ethically.
Furthermore, regulatory alignment is complex.
“Institutions must navigate multiple layers of compliance and reporting. Approval timelines, data privacy concerns, and cross-border coordination all add to the challenge,” he said. “But the payoff is worth it. TLPT enables organizations to move from reactive to truly proactive defense.”
In Schubert’s view, TLPT is not just a checkbox under DORA, it’s a “strategic imperative.”
“DORA has made TLPT mandatory, but forward-looking organisations see it as a catalyst,” he summarised. “It’s a mechanism for continuous improvement, helping teams adapt their defenses with every testing cycle.”
Schubert concluded by warning that “if you want to build real operational resilience, TLPT is not optional. It’s essential.”
NEXT MONTH
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
WATCH NOW
