Art 26 - Threat-led penetration testing (TLPT)

Article 26 of the EU Digital Operational Resilience Act requires financial entities to carry out threat-led penetration testing to evaluate the effectiveness of their security controls against realistic attack scenarios, detailing the methodology, frequency and reporting obligations. It is intended to improve cyber-resilience by identifying vulnerabilities before they can be exploited.