DORA's First Threat-Led Penetration Tests Are Here: What Financial Entities Must Prove in 2026

For the first time since the Digital Operational Resilience Act (DORA) came into force, European financial entities are receiving official notifications to undergo Threat-Led Penetration Testing (TLPT). This is not a routine compliance exercise. It is a live, regulator-mandated simulation of a real cyberattack against your organisation's most critical systems, and the results will determine how supervisors view your operational resilience for years to come.

If your organisation is a bank, insurer, asset manager, payment provider, or an ICT service provider supporting any of these, 2026 is the year DORA stops being a compliance document and starts being an operational reality. Here is exactly what is happening, what is required of you, and how to prepare.

From Guidance to Enforcement: Where DORA Stands in 2026

DORA has been fully enforceable since January 17, 2025, following a two-year transition period. Unlike NIS2, which required each EU member state to transpose it into national law, DORA is a regulation, meaning it applies directly and uniformly across all member states without national variation. This is the regulatory backbone for ICT risk management across the EU financial sector.

What makes 2026 distinct is that European Supervisory Authorities, the EBA, EIOPA, and ESMA, have now finalised the detailed Regulatory and Implementing Technical Standards that specify exactly how compliance must be demonstrated. Supervisors are no longer issuing guidance. They are conducting audits, scrutinising ICT third-party contracts, and issuing the first formal TLPT notifications to in-scope entities.

What Is Threat-Led Penetration Testing (TLPT) Under DORA?

TLPT is DORA's most advanced testing requirement. It mandates that designated financial entities undergo a controlled, intelligence-led simulated cyberattack against their live production systems, replicating the tactics of real threat actors rather than running a standard vulnerability scan.

Entities that receive a TLPT notification have a defined timeline to respond: three months to submit initiation documents, followed by six additional months to deliver a detailed scope specification before testing begins. This is a significant undertaking that touches threat intelligence, red-team execution, and senior management sign-off, not something that can be arranged in the final weeks before a deadline.

The first wave of TLPT notifications is being issued in late 2026, with subsequent waves continuing into 2027. Entities should not assume they are out of scope simply because they have not yet been notified. Designation criteria consider systemic importance, and the list of in-scope entities is expected to expand.

The Register of Information: Your Most Urgent 2026 Deadline

While TLPT is the headline-grabbing requirement, the Register of Information (RoI) under Article 28 of DORA is the obligation affecting every single financial entity in scope, right now. The RoI is a comprehensive register documenting all contractual arrangements with ICT third-party service providers, covering everything from your cloud infrastructure provider to your data analytics vendor.

National competent authorities must consolidate and forward these registers to the European Supervisory Authorities by March 31, 2026, using a reference date of December 31, 2025. Individual countries have set their own internal submission windows ahead of this backstop date. For example, German entities submit to BaFin between March 9 and 30, Dutch entities submit to DNB or AFM by March 20, and Irish entities submit to the Central Bank of Ireland between March 2 and 31.

This is widely regarded as the most data-intensive obligation under DORA. During the European Supervisory Authorities' 2024 dry-run exercise, only a small fraction of nearly 1,000 participating firms successfully passed all data quality checks on their first attempt, underscoring just how easy it is to get this wrong. Submissions must follow a strict xBRL-CSV format, and errors trigger a resubmission cycle that can quickly eat into your remaining time.

Why ICT Third-Party Providers Should Pay Close Attention Too

DORA's reach extends well beyond banks and insurers. If your organisation provides software, cloud hosting, cybersecurity services, or any technology service to a financial entity operating in the EU, you are part of the ecosystem DORA regulates, even if you are not directly supervised.

The European Supervisory Authorities have already published an official list of Critical ICT Third-Party Providers, including major hyperscale cloud providers and global technology and telecom firms. These designated providers face direct oversight from Joint Examination Teams. Financial entities relying on any of these providers must document the dependency in their Register of Information and assess concentration risk accordingly. In practice, this means your financial sector clients will increasingly demand proof of your own security posture, incident response capability, and resilience testing before renewing contracts.

DORA vs NIS2: Understanding the Overlap

Many organisations operating in regulated sectors are now navigating both DORA and NIS2 simultaneously, and the relationship between the two matters. DORA acts as lex specialis to NIS2 for the financial sector, meaning that where the two frameworks overlap, DORA's more specific and stringent requirements take precedence for in-scope financial entities.

If your organisation has already built NIS2 compliance processes around incident reporting, risk management, and supply chain oversight, you have a meaningful head start. However, DORA introduces requirements that go further, particularly around the Register of Information and Threat-Led Penetration Testing, which have no direct equivalent under NIS2. Equally, a strong ISO 27001 information security management system provides a solid foundation, since a large proportion of ISO 27001 controls map directly onto DORA's ICT risk management pillar.

Your DORA 2026 Compliance Checklist

• Confirm your in-scope status: Determine whether your organisation, or your role as an ICT provider to financial entities, falls within DORA's regulatory perimeter.
• Build and validate your Register of Information: Document every ICT third-party contractual arrangement at entity, sub-consolidated, and consolidated level, formatted correctly for xBRL-CSV submission.
• Map your national submission window: Confirm your country's specific RoI deadline ahead of the March 31, 2026 ESA backstop date.
• Run internal data quality checks: Validate LEI and entity identifiers, check for duplicate records, and confirm consistency across all contracts before submission.
• Prepare for TLPT readiness: Even without a notification yet, establish threat intelligence capability, red-team processes, and senior management sign-off procedures.
• Review your ICT risk management framework: Ensure it is documented, board-approved, and reviewed on an ongoing basis as DORA requires.
• Strengthen incident reporting workflows: DORA requires major incidents to be reported within hours, not days, so test your detection and escalation timelines.
• Reassess critical ICT third-party dependencies: Identify any reliance on designated Critical ICT Third-Party Providers and document concentration risk.
• Align with existing ISO 27001 or NIS2 programmes: Avoid duplicating effort by mapping shared controls across frameworks.

How Vista Infosec Can Help

DORA compliance is technically demanding and time-sensitive, but it does not have to be navigated alone. Vista Infosec is a CREST-accredited global cybersecurity and compliance consulting firm with over 20 years of experience helping financial entities and ICT providers across the US, UK, Singapore, India, and the Middle East meet rigorous regulatory standards.

Our team can help you:

• Conduct a DORA gap assessment and build or validate your Register of Information ahead of national deadlines.
• Design and execute penetration testing aligned withTLPT methodology and audit expectations.
• Strengthen your ICT risk management framework and incident reporting processes.
• Map DORA requirements against your existing ISO 27001, SOC 2, or NIS2 controls to streamline compliance and reduce audit fatigue.

 

Do not wait for a TLPT notification to discover gaps in your resilience. Get assessed now and walk into your next regulatory audit with confidence.

 

Book a free 30-minuteconsultation with Vista Infosec today.