Finance — DORA TLPT operators
Continuous testing for DORA Art. 25, threat-led validation for DORA Art. 26 (TLPT), and ICT-incident classification mapped in the same appliance.
DORA (Regulation (EU) 2022/2554) entered application on 17 January 2025 across all EU financial entities. Article 25 mandates continuous testing of ICT systems supporting critical or important functions, with a risk-based approach updated annually. Article 26 + the RTS 2025 on TLPT require threat-led penetration testing for significant entities at least every 3 years using a documented methodology (TIBER-EU). The European Banking Authority and the Banca d'Italia have made it clear that "continuous" means continuous, not "more frequent than annual" — and that the testing programme must incorporate the latest threat intelligence, not a fixed playbook.
What is on the DORA-regulated CISO's desk
DORA Art. 25 continuous testing
Daily or near-daily validation of critical ICT systems, risk-based, with incorporation of current threat intel. A quarterly third-party pentest does not satisfy this baseline.
DORA Art. 26 / TLPT RTS 2025
Threat-led pentest with TIBER-EU methodology, signed evidence, full chain-of-custody from the threat intelligence input to the final report.
ICT incident reporting (Art. 17-22)
Initial notification at 4h for major incidents, intermediate at 72h, final at 1 month. Same time pressure as NIS2 but with stricter materiality thresholds.
Third-party risk (Art. 28-30)
You inherit the regulator's scrutiny on every ICT third-party provider — including security tooling vendors. SaaS pentest providers are increasingly hard to justify in DORA-scoped procurement.
How Zero Hunt addresses DORA
TIBER-EU-aligned continuous TLPT engine
The 10-agent swarm runs threat-led campaigns informed by 21 live intel feeds (CISA KEV, ENISA, vendor advisories). Methodology mappable to TIBER-EU phases (TI provision, red-team test, purple-team, closure). ECDSA-signed at every phase produces a verifiable chain back to the threat intelligence input — exactly what the TLPT RTS 2025 evidence requirement asks for.
ICT incident classification auto-mapped to DORA Art. 17-22
Every detected incident is automatically classified against the DORA materiality criteria (clients affected, geographical spread, duration, criticality) and produces the 4h/72h/1-month notification timeline. Trust Center exports the auditor bundle in the exact format the EBA technical standards specify.
Wire-speed detection on the payments and trading boundary
AI traffic analysis on the appliance GPU catches the in-progress patterns: market-data exfiltration, payment-system C2, dwell-and-pivot attacks targeting clearing infrastructure. Real-time, not batch.
Capability emphasis for finance
- ▸Continuous validation of critical ICT systems (Art. 25 baseline)
- ▸TIBER-EU-aligned TLPT campaign workflow with signed evidence
- ▸DORA materiality auto-classification on every detected event
- ▸4h / 72h / 1-month notification timeline as queryable workflow
- ▸Third-party-risk story: 100% on-prem, no SaaS vendor in scope
Who buys this in finance
CISO sponsoring; Head of ICT Risk co-signing on DORA scope; Compliance / Internal Audit validating against the EBA technical standards; CFO authorising on the basis that the appliance replaces both the external TLPT contractor cost (typically €150-400k per engagement) and the dedicated continuous-testing tooling line item.
Go deeper on the regulations
Want to see this against your environment?
A 30-minute technical demo runs Zero Hunt against a recorded slice of your stack, scoped to the regulatory regime you operate under.