Threat-Led Penetration Testing for Crypto-Asset Service Providers
Under the Digital Operational Resilience Act (DORA), Crypto-Asset Service Providers (CASPs) face unprecedented regulatory scrutiny. By 2026, significant CASPs operating within the EU must demonstrate extreme cyber resilience through mandatory Threat-Led Penetration Testing (TLPT).
Article 26 Requirements
DORA Article 26 specifically mandates that financial entities identified as 'significant' must conduct advanced TLPT every three years. For CASPs, this means simulating sophisticated, nation-state level cyber attacks against critical or important functions (CIFs), particularly targeting hot/cold wallet infrastructures and exchange trading engines. The testing must be conducted by accredited external threat intelligence and red teaming providers.
TIBER-EU Framework Application
The Joint European Supervisory Authorities (ESAs) mandate that DORA's TLPT framework aligns heavily with the TIBER-EU methodology. CASPs must execute a structured three-phase approach: a rigorous Preparation phase defining the scope, a Threat Intelligence-led Execution phase targeting live production systems, and a Closure phase detailing remediation roadmaps and supervisory reporting.
Exemptions & Significance Thresholds
Not all CASPs are subject to mandatory TLPT. Microenterprises are largely exempt from Article 26. The ESAs determine 'significant' status based on systemic footprint, trading volume, and the criticality of the crypto-assets managed. However, even non-significant CASPs are urged to adopt TLPT voluntarily to satisfy DORA's general Article 24 vulnerability assessment requirements.
Request a TLPT Consultation
Speak with a DORA-specialist about your Article 26 obligations and get a scoped proposal.