What is DORA Article 26 TLPT?

DORA Article 26 mandates Threat-Led Penetration Testing (TLPT) for significant financial entities every 3 years, following the TIBER-EU framework with independent CREST-certified red teams.

How does Breachr satisfy DORA compliance?

Breachr provides cryptographic audit trails (SHA-256 + RSA-2048), LLM transparency per finding, EU data isolation, CREST-certified TLPT, and auto-generated DORA Articles 24/25/26 compliance reports.

⚖️ Regulatory Compliance

Every Framework. One Platform.

The only EU-hosted penetration testing platform designed to produce evidence that regulators, auditors, and boards actually accept.

DORA — Digital Operational Resilience ActMandatory since Jan 2025

Article 25

ICT risk management

Continuous vulnerability scanning mapped to your ICT asset register. Risk scoring aligned to EBA guidelines.

Article 26

TLPT mandate

CREST-certified Threat-Led Penetration Testing built to TIBER-EU framework. Cryptographic proof of test included.

Article 30

Third-party ICT

Breachr registers as a DORA ICT third-party provider. Audit rights, SLA, incident notification, and exit strategy included.

Deliverables: DORA compliance evidence package · Signed audit trail · Regulator-ready PDF

DORA Article-by-Article Coverage

Article 24

General ICT Testing

Continuous vulnerability scanning mapped to your ICT asset register. 100% attack surface coverage vs manual testing's 15–20%. Automated cadence satisfies annual testing requirement.

✅ Fully covered

Article 25

Advanced Testing

LLM exploit chaining combines vulnerabilities into real attack paths. Threat intelligence from MITRE ATT&CK and FS-ISAC. CREST-certified human validation for all critical/high findings.

✅ Fully covered

Article 26

TLPT — Significant Entities

Full TIBER-EU framework. Independent CREST red team, threat intelligence provider, purple team exercises, BaFin notification support, management board reporting templates.

✅ Enterprise tier

Why EU Cloud Satisfies DORA

DORA does not mandate on-premise infrastructure — 77% of EU banks already operate on cloud. What DORA requires:

✅ Data stays in EU — Supabase Frankfurt eu-central-1
✅ DPA signed with all sub-processors (Supabase DPA)
✅ Audit logs retained at infrastructure level (2 years)
✅ SLA, audit rights and exit strategy in vendor contracts
✅ Breachr registers as DORA ICT third-party provider

Competitive Compliance Gap

Feature	Breachr	Competitors
DORA Art. 26 TLPT	✅	❌
EU data residency	✅	❌
Cryptographic audit trail	✅	❌
LLM transparency	✅	❌
CREST certified	✅	⚠️ partial
Freemium entry	✅	❌
On-premise deploy	✅	❌

Why Compliance Deadlines Matter Now

🇪🇺

DORA

Live since Jan 17, 2025

⚠️ First BaFin audits: Q2 2026

Up to €10M or 2% global revenue

🇪🇺

NIS2

Enforceable Oct 17, 2024

⚠️ First enforcement: Q3 2026

Up to €10M or 2% global revenue

🤖

EU AI Act

Regulation 2024/1689

⚠️ High-risk AI requires transparency

Pentesting AI = high-risk category

Meet Every Regulatory Deadline

DORA TLPT deadlines are 2027–2028. Start building your compliance evidence trail today.

Start Free Assessment →See Pricing