Menu
Join my newsletter
6. Resilience Testing & TLPT
This guide outlines the comprehensive testing requirements under DORA (Digital Operational Resilience Act), with a focus on ICT resilience testing and threat-led penetration testing (TLPT). It provides practical implementation guidance while ensuring compliance with regulatory requirements. For related capabilities, refer to respective guides on ICT risk management, incident response, business continuity, and other domains.

by Sylvan Ravinet

The StratOps way to accelerate DORA
This guide on Resilience Testing and TLPT can help you achieve DORA compliance. Faster. Part of my 12-capabilities cyber framework.
Before continuing, make sure you are subscribed to StratOps!
Get weekly insights in your email
My StratOps newsletter helps cybersecurity experts achieve more, faster.
It's Free! For now.
Have feedback? Connect with me on Linkedin
1. Overview of Resilience Testing & TLPT in DORA
1.1 Regulatory sources
  • DORA Regulation 2022/2554, Article 26: Core testing requirements and TLPT
  • RTS 2024/XX on testing framework standardization
  • National Competent Authority (NCA) frameworks:
  • TIBER-EU for threat intelligence-led testing
  • National variations (TIBER-DE, TIBER-NL, etc.)
  • Related standards: ISO/IEC 27002, NIST SP 800-53A
2. Testing Framework Requirements
2.1 Testing Program Elements
Risk-based approach aligned with ICT risk management framework
Annual comprehensive testing program with clear objectives
Testing of critical ICT systems and services identified through criticality assessment
Independent testing verification by qualified internal or external testers
Regular reporting to management body with actionable insights
Integration with change management and release processes
Clear testing metrics and success criteria
2.2 Types of Required Testing
Vulnerability Assessments
  • Regular automated scanning
  • Manual deep-dive assessments
  • Web application security testing
  • API security testing
Network Security Testing
  • Infrastructure security testing
  • Network segmentation validation
  • Wireless network security
  • Remote access security
Source Code Reviews
  • Static Application Security Testing (SAST)
  • Software composition analysis
  • Secure coding practices validation
  • Technical debt assessment
Configuration Reviews
  • Security configuration assessment
  • Hardening validation
  • Cloud configuration review
  • Access control validation
Scenario-based Testing
  • Business continuity scenarios
  • Disaster recovery testing
  • Crisis management exercises
  • Data breach response simulation
Performance Testing
  • Load testing of critical systems
  • Stress testing at peak conditions
  • Scalability assessment
  • Resilience validation
TLPT for qualifying entities
  • Advanced persistent threat simulation
  • Social engineering testing
  • Physical security testing
  • Red team exercises
3. TLPT Implementation
3.1 Scope and Frequency
Per DORA Article 26:
Required for significant financial entities
Minimum frequency of every 3 years
Focus on critical functions and services
Must be threat-intelligence led
3.2 TLPT Requirements
Independent qualified testers with proven expertise
Testing based on current threat landscape and intelligence
Real-world attack simulation using latest TTPs
Multiple attack vectors testing across technical and human elements
Controlled environment execution with proper safeguards
Regular updates to scenarios based on emerging threats
Clear separation between testing and production environments
Defined success criteria and acceptable risk thresholds
3.3 TLPT Process

1

1
Planning Phase
  • Scope definition
  • Threat intelligence gathering
  • Test scenario development
  • Resource allocation

2

2
Execution Phase
  • Controlled testing
  • Attack simulation
  • Response monitoring
  • Evidence collection

3

3
Reporting Phase
  • Findings documentation
  • Risk assessment
  • Remediation planning
  • Management reporting
4. Testing Management
4.1 Test Planning
  • Annual testing schedule with quarterly reviews
  • Resource allocation based on system criticality
  • Third-party coordination and access management
  • Regulatory alignment and compliance tracking
  • Risk-based prioritization of test cases
  • Clear definition of testing boundaries
  • Contingency planning for critical findings
  • Integration with change management process
4.2 Documentation Requirements
  • Testing policies and procedures with version control
  • Test plans and scenarios with clear objectives
  • Results and findings with severity classification
  • Remediation tracking with timelines
  • Regulatory reporting templates
  • Evidence preservation guidelines
  • Test environment specifications
  • Security clearance documentation
4.3 Quality Assurance
  • Testing methodology validation
  • Tester qualification verification
  • Results quality control
  • Independent review process
  • Continuous improvement
5. Integration Points
5.1. ICT Risk Management
  • Risk assessment inputs
  • Control testing alignment
5.2. ICT Third-Party Risk
  • Third-party testing requirements
  • Service provider coordination
5.3. Incident Management
  • Scenario development
  • Response testing
6. Common Challenges and Solutions
6.1 Scope Management
Challenge: Determining appropriate test coverage Solution:
  • Risk-based scoping
  • Clear criticality criteria
  • Regular scope review
6.2 Resource Constraints
Challenge: Meeting testing requirements with limited resources Solution:
  • Prioritize critical systems
  • Leverage automation
  • Consider managed services
6.3 Technical Complexity
Challenge: Testing complex interconnected systems Solution:
  • Modular testing approach
  • Clear system boundaries
  • Phased execution
7. Key Success Factors
Clear testing strategy
Management support
Resource commitment
Documentation discipline
Regular review and updates
Independent verification
Remediation tracking
8. Regulatory Reporting
8.1 Required Reports
  • Annual testing program summary
  • TLPT results and remediation plans
  • Critical findings and mitigation status
  • Testing coverage metrics
  • Independent assessment results
8.2 Reporting Timeline
  • Quarterly updates to management
  • Annual comprehensive review
  • Ad-hoc reporting for critical findings
  • Regulatory notification requirements
9. Continuous Improvement
9.1 Program Evolution
  • Regular framework assessment
  • Emerging threat incorporation
  • Testing tool evaluation
  • Methodology updates
  • Feedback integration
9.2 Maturity Assessment
  • Capability maturity model
  • Gap analysis process
  • Improvement roadmap
  • Success metrics
  • Benchmark against peers
10. Practical Tools and Frameworks
10.1 Resilience Testing Tools
Chaos Engineering Tools
  • Gremlin
  • Chaos Monkey
  • AWS Fault Injection Simulator
Disaster Recovery Platforms
  • Zerto
  • Veeam
  • VMware Site Recovery Manager
10.2 Security Testing Tools
Network Vulnerability Scanners
  • Nessus Professional
  • Qualys VM
  • OpenVAS
Web Application Testing
  • Burp Suite Enterprise
  • OWASP ZAP
  • Acunetix
Infrastructure Testing
  • Metasploit Framework
  • Nmap
  • Wireshark
10.3 Performance Testing
Load Testing
  • Apache JMeter
  • K6
  • Gatling
Stress Testing
  • stress-ng
  • Prime95
  • AIDA64
Links to Related DORA Compliance Themes
For a comprehensive understanding of DORA compliance, this guide aligns with the following related topics:
For detailed implementation guidance, refer to DORA's RTS and ITS documentation and related guides within this compliance series.
The StratOps way to accelerate DORA
CISO & Advisor | My StratOps newsletter helps cybersecurity experts achieve more, faster.

I hope this guide on Resilience Testing and TLPT will help your team achieve DORA compliance.
Have feedback? Let’s connect on LinkedIn
Not yet a member? Get insights & more resources in the StratOps newsletter
🚀 Accelerate your DORA implementation with StratOps
Implementation kits are a great start, but real resilience requires structured execution.
Join my StratOps trainings to master DORA’s 12 capabilities and fast-track compliance.