What is DORA Article 26 TLPT?

DORA Article 26 mandates Threat-Led Penetration Testing (TLPT) for significant financial entities every 3 years, following the TIBER-EU framework with independent CREST-certified red teams.

How does Breachr satisfy DORA compliance?

Breachr provides cryptographic audit trails (SHA-256 + RSA-2048), LLM transparency per finding, EU data isolation, CREST-certified TLPT, and auto-generated DORA Articles 24/25/26 compliance reports.

⚖️ Regulatory Compliance

Every Framework. One Platform.

The only EU-hosted penetration testing platform designed to produce evidence that regulators, auditors, and boards actually accept.

PCI DSS — Payment Card Industry Data Security StandardAny entity processing card payments

Req 11.4

Penetration Testing

Annual internal and external penetration tests across all CDE systems and connected networks. Breachr methodology follows PCI SSC guidance — NIST SP 800-115, OWASP, and CVE correlation built in.

Req 6.4

Application Security

All public-facing web applications assessed against OWASP Top 10. Automated continuous scanning satisfies the between-change vulnerability detection requirement without slowing your release cycle.

Req 12.3

Risk Analysis

Targeted risk analysis for every PCI DSS requirement using customised approach. Inherent and residual risk documented with cryptographic evidence signatures — ready for your QSA review without manual assembly.

Deliverables: PCI DSS Penetration Test Report · CDE Scope Validation · ASV Scan Evidence · QSA-ready evidence package

DORA Article-by-Article Coverage

Article 24

General ICT Testing

Continuous vulnerability scanning mapped to your ICT asset register. 100% attack surface coverage vs manual testing's 15–20%. Automated cadence satisfies annual testing requirement.

✅ Fully covered

Article 25

Advanced Testing

LLM exploit chaining combines vulnerabilities into real attack paths. Threat intelligence from MITRE ATT&CK and FS-ISAC. CREST-certified human validation for all critical/high findings.

✅ Fully covered

Article 26

TLPT — Significant Entities

Full TIBER-EU framework. Independent CREST red team, threat intelligence provider, purple team exercises, BaFin notification support, management board reporting templates.

✅ Enterprise tier

Why EU Cloud Satisfies DORA

DORA does not mandate on-premise infrastructure — 77% of EU banks already operate on cloud. What DORA requires:

✅ Data stays in EU — Supabase Frankfurt eu-central-1
✅ DPA signed with all sub-processors (Supabase DPA)
✅ Audit logs retained at infrastructure level (2 years)
✅ SLA, audit rights and exit strategy in vendor contracts
✅ Breachr registers as DORA ICT third-party provider

Competitive Compliance Gap

Feature	Breachr	Competitors
DORA Art. 26 TLPT	✅	❌
EU data residency	✅	❌
Cryptographic audit trail	✅	❌
LLM transparency	✅	❌
CREST certified	✅	⚠️ partial
Freemium entry	✅	❌
On-premise deploy	✅	❌

Why Compliance Deadlines Matter Now

💳

PCI DSS

v4.0 mandatory since Mar 2024

⚠️ Annual pen test required — Req 11.4

Up to $100K/month + card brand fines

🇪🇺

DORA

Live since Jan 17, 2025

⚠️ First BaFin audits: Q2 2026

Up to €10M or 2% global revenue

🇪🇺

NIS2

Enforceable Oct 17, 2024

⚠️ First enforcement: Q3 2026

Up to €10M or 2% global revenue

Meet Every Regulatory Deadline

PCI DSS pen tests are annual. DORA TLPT deadlines are 2027–2028. Start building your compliance evidence trail today.

Start Free Assessment →See Pricing