PentStark
Blog · Compliance

DORA ICT third-party testing: lessons from the first audit cycle

PentStark ComplianceMarch 19, 20269 min readMore on Compliance

The Digital Operational Resilience Act (DORA) went live in January 2025, and the first full cycle of threat-led penetration testing (TLPT) under Articles 26 and 27 wrapped across Q1 2026 for the first wave of in-scope firms. We ran TLPT-aligned engagements for several of them. Here's what the first cycle actually taught us.

What TLPT under DORA asks for

Articles 26 and 27, read with the associated RTS, require:

  • In-scope entities (significant financial entities, certain CCPs, CSDs, major trading venues) must undergo TLPT at least every three years.
  • Testing must be threat-led — scenarios derived from threat intelligence specific to the entity.
  • Critical or important functions and the ICT systems supporting them must be in scope, including third-party providers.
  • Testers must meet independence and competence requirements (per the RTS).
  • Authorities are informed and the test is conducted under the TIBER-EU framework or an equivalent national framework.

In practice: it looks like a TIBER engagement. The paperwork is denser.

Five gaps the first cycle surfaced

1. Third-party scope is where engagements stall

The Act requires testing to cover critical functions, and critical functions almost always depend on third-party ICT providers. But the TLPT contract with the entity does not automatically cover the provider.

In practice: every engagement required a pre-kickoff phase whose only purpose was obtaining testing authorization from the entity's critical cloud, market-data, and payments providers. Authorization lead times ranged from 4 to 12 weeks.

Takeaway: if your DORA TLPT is due this calendar year, start the third-party authorization flow now, regardless of when testing starts.

2. The threat intelligence dossier is often thin

Threat-led means scenarios are derived from intel about the entity and its sector. Many entities arrived with a generic sector threat report and expected the testing team to "do the threat modeling".

The scenarios the authority finds credible are entity-specific. That means: a named adversary set, specific TTPs observed against the entity or its sector in the last 12 months, and a mapped link between those TTPs and the critical functions in scope.

The strongest dossiers came from entities that contracted a CTI provider for a dedicated TLPT threat assessment — separate from the red team. That separation matters for the independence criterion.

3. Crisis-communication drills were overlooked

DORA expects testing to exercise response and recovery, not just technical exploitation. The first-cycle reports that got the cleanest feedback included a tabletop or injected scenario that tested the entity's CIRT, communications team, and critical-function continuity.

Entities that skipped this often got asked for it afterwards.

4. Trusted-agent protocols under-scoped

In a TLPT, a small "trusted agents" group inside the entity knows a test is happening. Everyone else doesn't — that's the point.

First-cycle failures: trusted-agent lists that excluded the person whose team would escalate the first alert (usually the SOC lead's direct report). When the test triggered detection, escalation went wide, the test paused, and two weeks of timeline was lost. Trusted-agent selection is a design decision. It needs to include the earliest plausible escalation chain, not just the accountable execs.

5. Evidence for "independence and competence"

Authorities checked tester credentials carefully. Required evidence:

  • Company accreditation (ISO 27001, ISO 17065, or national-scheme equivalent).
  • Individual operator CVs for the team lead and named operators.
  • Conflict-of-interest statement.
  • The entity's sign-off on the tester selection.

One entity we worked with had a last-minute change of lead operator. The authority required a re-submission. Plan for the roster being locked earlier than you'd like.

What to have ready

If your firm is in-scope and TLPT-bound in the next 12 months:

  • Third-party authorization matrix. Every critical ICT provider. Authorization contact. Turnaround time. Expected scope.
  • Threat intelligence dossier. Entity-specific, separate provider from the red team, refreshed in the last 6 months.
  • Trusted-agent roster. Covers the earliest plausible escalation chain, not just execs.
  • Testing authority file. The red team's accreditations, operator CVs, COI statement.
  • Crisis-response integration plan. A tabletop or injected scenario is part of the test, not an add-on.

The bigger lesson

The first DORA cycle rewarded entities that treated TLPT as a regulatory engineering project, not a pentest procurement. The technical red team is the smallest part of it. The third-party authorization flow, the threat intel dossier, the trusted-agent design — those are the parts that decide whether you pass the file review, and they're the parts most entities under-scoped.

Budget accordingly. Start earlier. Document everything.

Get research like this monthly.

No marketing fluff. Unsubscribe anytime.

All postsCompliance

Related research

Compliance

EU AI Act red teaming: what a pentester actually delivers

Article 15 and 54a say you need cybersecurity and adversarial testing. Here's the engagement shape the first audit cycle accepted.

8 min · April 14, 2026
Compliance

SOC 2 without slowing down your release train

Patterns for embedding evidence collection into your engineering workflow.

6 min · February 3, 2026
AI Security

MCP servers are the new vendor risk: auditing the agent toolbox

Every MCP server you plug into your agent is a trust boundary. Here's how to audit them like the supply-chain risk they are.

9 min · April 21, 2026
Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

hello@pentstark.com
Talk to an expertBook a demo
Responses in < 1 business day