Threat-led penetration testing (TLPT) – a new approach to testing digital resilience of financial entities in Poland in the perspective of requirements under the Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act, DORA) launched a new model for testing the digital resilience of financial services operating in the Polish financial market into the EU and thus into the domestic legal framework. The primary purpose of this article is to discuss and evaluate the Threat-Led Penetration Testing (TLPT) model. TLPT tests can include both technical and sociotechnical components. The hypothesis of the article is that TLPT testing will have a positive impact on enhancing the digital resilience of financial stakeholders because these tests are designed to simulate real-world cyber attacks, enabling organisations to understand their resilience to threats and initiate relevant countermeasures. The results obtained from the analysis confirm the validity of the proposed research hypothesis. This follows from the fact that the main premise of TLPT testing is to replicate realworld attack scenarios as accurately as possible, thereby enabling a more reliable and detailed assessment of organisation’s security level. The authors emphasise that such an approach allows not only for the verification of the effectiveness of information system safeguards, but also for the evaluation of the resilience of operational processes and the level of employee awareness regarding cyber threats.