Design a DORA Article 25/26-compliant ICT resilience testing programme across three tiers — basic vulnerability scans, advanced penetration testing, and threat-led TLPT/TIBER-EU. Generates a 3-year testing schedule and policy mandate export. Client-side. Zero PII.
TLPT / TIBER-EU3-Year ScheduleZero PIIClient-Side
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
🏛️ Entity Profile
Determines TLPT obligation under DORA Article 26(1)
Used to assess proportionality thresholds
🖧 ICT Scope & Critical Functions
Select all in-scope ICT systems and critical or important functions (CIFs):
🔬 Testing History & Capabilities
DORA requires annual basic + 3-yr TLPT cycle for significant entities
0 = never conducted; TLPT mandatory for significant entities every 3 years
📋 Recommended Testing Programme
📅 3-Year Testing Schedule
Test Activity
Frequency
Scope
Article
Year 1
Year 2
Year 3
⚖️ Policy Mandates & DORA Requirements
🎯 TLPT / TIBER-EU Programme Steps
📚 DORA References
DORA Regulation (EU) 2022/2554, Article 26 — Testing of ICT systems, tools and processes.
DORA Article 25 — Testing of ICT tools and systems (basic testing requirements).
DORA Article 27 — Requirements for testers carrying out TLPT.
TIBER-EU Framework, ECB, May 2018 — Threat Intelligence-Based Ethical Red Teaming.
EBA/GL/2023/06 — Guidelines on ICT and security risk management (repealing EBA/GL/2019/04).
DORA RTS on TLPT (Commission Delegated Regulation 2024/1772), March 2024.