DORA-Art26-P1

TLPT Scope and Planning Document RARE

Document defining the scope, objectives, and planning for threat-led penetration testing (TLPT) as required by DORA Article 26, including threat intelligence phase, red team scope, and critical function coverage.

Formats

DOCX PDF

Evidence Class

tlpt-scope-document

Availability

RARE

Update Frequency

every 3 years

Typical Author

CISO

Approval Chain

CISO → CRO → Board Risk Committee

Content Sections

• TLPT Objectives
• Threat Intelligence Scope
• Red Team Scope
• Critical Functions Covered
• Rules of Engagement
• Timeline and Milestones
• Governance and Oversight

Expected Fields

• tlpt_id
• planning_date
• threat_intelligence_provider
• red_team_provider
• critical_functions_in_scope
• expected_duration_weeks
• oversight_authority_notified

Common Quality Issues

• TLPT scope too narrow — excludes critical third-party dependencies
• Threat intelligence phase not based on institution-specific threat landscape
• Missing notification to competent authority
• Insufficient coverage of live production systems

TLPT Execution Report RARE

Report documenting the execution and results of threat-led penetration testing, including attack scenarios executed, findings, impact assessment, and remediation requirements as required by DORA Articles 26-27.

Formats

PDF

Evidence Class

tlpt-execution-report

Availability

RARE

Update Frequency

every 3 years

Typical Author

External TLPT Provider

Approval Chain

CISO → CRO → Board Risk Committee → Competent Authority

Content Sections

• Executive Summary
• Threat Intelligence Summary
• Red Team Activities
• Attack Scenarios Executed
• Findings and Impact
• Defence Team Response Assessment
• Remediation Requirements
• Competent Authority Summary

Expected Fields

• tlpt_id
• execution_date
• duration_weeks
• scenarios_executed
• findings_count
• critical_findings
• defence_detection_rate
• remediation_deadline

Common Quality Issues

• TLPT not performed within required 3-year cycle
• Findings not shared with competent authority as required
• Remediation plan lacks specific timelines
• Defence team response assessment superficial

TLPT Remediation Plan RARE

XML-structured remediation plan addressing findings from threat-led penetration testing, including prioritised actions, responsible owners, timelines, and validation criteria.

Formats

XML

Evidence Class

tlpt-remediation-plan

Availability

RARE

Update Frequency

event-driven

Typical Author

CISO

Approval Chain

CISO → CRO

Content Sections

• Remediation Actions
• Prioritisation
• Timeline
• Validation Criteria

Expected Fields

• plan_id
• tlpt_id
• creation_date
• total_actions
• critical_actions
• responsible_owners
• target_completion_date
• validation_method

Common Quality Issues

• Remediation actions not prioritised by risk
• Missing validation criteria for completed actions
• Timeline not realistic given resource constraints
• No tracking mechanism for remediation progress

tlpt_execution_status

Schema ID

fs-tlpt-execution-status

Control

DORA-Art26-P1

Valid Ranges

tlpt_date

within last 3 years

next_tlpt_due_date

within 3 years of last TLPT

Related Schemas

• fs-tlpt-findings
• fs-tester-independence

JSON Schema

{
  "properties": {
    "competent_authority_notified": {
      "type": "boolean"
    },
    "covers_critical_functions": {
      "type": "boolean"
    },
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "defence_detection_rate_percent": {
      "maximum": 100,
      "minimum": 0,
      "type": "number"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "next_tlpt_due_date": {
      "format": "date",
      "type": "string"
    },
    "threat_intelligence_used": {
      "type": "boolean"
    },
    "tlpt_date": {
      "format": "date",
      "type": "string"
    },
    "tlpt_performed": {
      "type": "boolean"
    }
  },
  "required": [
    "tlpt_date",
    "tlpt_performed",
    "covers_critical_functions",
    "findings_count"
  ],
  "type": "object"
}

tlpt_findings

Schema ID

fs-tlpt-findings

Control

DORA-Art26-P1

Valid Ranges

remediation_completed_count

should equal remediation_actions_count for full remediation

target_completion_date

within 12 months of TLPT completion

Related Schemas

• fs-tlpt-execution-status

JSON Schema

{
  "properties": {
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "high_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "remediation_actions_count": {
      "minimum": 0,
      "type": "integer"
    },
    "remediation_completed_count": {
      "minimum": 0,
      "type": "integer"
    },
    "remediation_plan_exists": {
      "type": "boolean"
    },
    "target_completion_date": {
      "format": "date",
      "type": "string"
    },
    "tlpt_id": {
      "minLength": 1,
      "type": "string"
    },
    "total_findings": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "tlpt_id",
    "total_findings",
    "critical_findings",
    "remediation_plan_exists"
  ],
  "type": "object"
}