- Confirmed whether your entity has been formally designated by your NCA for mandatory TLPT
- Completed inventory of all critical and important functions per DORA Article 2 and your Register of Information
- Mapped all ICT systems supporting critical functions — internal and outsourced, including CTPP-hosted infrastructure
- Formal TLPT scope document prepared and submitted to the competent authority for Phase 1 validation
- Senior management and board accountability for TLPT formally assigned and documented
- TLPT programme integrated into the annual ICT risk and resilience testing plan
- Third-party contract audit rights verified — can your red team legally test CTPP-hosted infrastructure?
What Is Threat-Led Penetration Testing?
Threat-Led Penetration Testing (TLPT) is the most advanced form of cybersecurity testing mandated by DORA Articles 26–27. Unlike standard penetration tests, TLPT is guided by real, current threat intelligence specific to your institution and its sector — not generic attack scenarios.
TLPT simulates the tactics, techniques, and procedures (TTPs) of the most sophisticated threat actors that could realistically target your institution: nation-state-sponsored groups, organised financial cybercriminals, and insider-threat scenarios. Crucially, tests are conducted on live production systems — not isolated test environments — making findings operationally real.
Under DORA Article 26, financial institutions that meet the significance threshold must conduct TLPT at least every three years, covering all critical or important functions and their supporting ICT systems, including outsourced infrastructure hosted by third parties.
TLPT serves two purposes simultaneously: (1) identifying exploitable vulnerabilities that simpler testing methods miss; and (2) measuring the organisation's actual detection, response and recovery capability against a real adversarial attack — not theoretical performance against a test-environment threat.
TLPT vs Standard Pentest — Key Differences
- Intelligence-led: driven by real Targeted Threat Intelligence (TTI), not generic scenarios
- Live production: tests on live systems — real exposure, real consequences
- External mandatory: accredited Red Team and TI providers required by law — internal teams cannot fulfil these roles
- Regulator involved: competent authority present at every phase, from scoping through attestation
- Formal attestation: written attestation from supervisor required to complete the cycle
- Remediation tracked: authority verifies remediation progress at next supervisory interaction
Not optional for designated entities: TLPT is not a best-practice recommendation. It is a legally binding obligation under DORA Article 26. Failure to conduct TLPT by the January 2028 deadline exposes the institution to enforcement action and potential fines under Article 50.
Who Must Conduct TLPT: Designation Criteria
TLPT is not required of all DORA-in-scope entities. DORA Article 26(8) and the TLPT RTS define significance criteria that national competent authorities (NCAs) use to identify entities that must conduct TLPT. Designation is formal: entities receive written notification from their NCA and the obligation begins from that date.
Size Threshold
For banks, the ECB/SSM threshold is the primary indicator: supervised entities with total assets typically above €30 billion fall within the designation scope. For other sectors, comparable systemic size thresholds apply, defined in sector-specific RTS interpretations by EBA, ESMA, and EIOPA.
Systemic Importance
Entities classified as global or domestic systemically important financial institutions (G-SIIs, O-SIIs) are primary TLPT candidates, regardless of size alone. Market infrastructure operators (CCPs, CSDs, trading venues) are typically designated given their systemic role in settlement and clearing.
Cross-Border Relevance
Entities whose disruption would have cross-border impact across multiple EU member states are subject to closer scrutiny. For these entities, the TLPT attestation may be recognised by multiple national supervisors, enabling a single TLPT exercise to satisfy obligations across jurisdictions.
Risk-Based Designation
Beyond size, NCAs may designate entities based on SREP results (particularly ICT risk scores), prior incident history, or assessment of the entity's potential impact on financial stability. An entity below standard size thresholds can be designated if its risk profile warrants it.
Am I Designated?
If you have not received formal written notification from your NCA, you are not currently required to conduct TLPT. However, this can change: NCA designation lists are updated periodically. Entities close to thresholds should monitor their SREP correspondence and proactively assess their likelihood of future designation.
Voluntary Participation
Entities not required to conduct TLPT may voluntarily do so — and many do, as TLPT remains the gold standard for advanced resilience testing. Voluntary TLPT under the same DORA framework is a recognised good-practice signal to supervisors, rating agencies, and institutional investors.
Industry estimates: Across the EU financial sector, approximately 100–120 significant banks, 40–60 insurance groups, 30+ market infrastructure operators, and 20+ major payment service providers are expected to be designated for mandatory TLPT in the first cycle (2025–2028).
TLPT Scope and 5-Phase Methodology
What Must Be In Scope
Mandatory in scope:
- All ICT systems supporting critical or important functions as defined in your Register of Information
- ICT services provided by critical third parties (CTPPs) where those services support in-scope functions — including cloud-hosted infrastructure
- Both internal and outsourced infrastructure, regardless of hosting location
- Customer-facing digital channels where material to critical functions
- Payment infrastructure and core banking, insurance, or trading platforms
May be excluded (with justified documentation):
- Non-critical back-office systems with no material impact on critical functions
- Legacy systems under active decommissioning (authority approval required)
- Systems outside the EU regulatory perimeter (subject to NCA agreement)
Pooled TLPT (Article 26(5)): Entities sharing the same critical third-party ICT provider may conduct joint TLPT exercises, splitting costs proportionately. Requires agreement from all participating entities and their respective supervisors. Ideal for CTPP-hosted core infrastructure.
The 3 Core Roles
TI
Threat Intelligence (TI) Provider
Independent provider that produces the Targeted Threat Intelligence (TTI) report. Must be separate from the Red Team provider. Profiles the most relevant threat actors and their TTPs for your institution's specific risk profile, sector, and geopolitical exposure.
RT
Red Team (RT) Provider
External, TIBER-EU-accredited security firm that executes the covert attack simulation against live production systems. Must be legally and operationally independent from the institution and the TI provider. Uses the TTI report to design realistic, tailored attack scenarios.
WT
White Team (Internal)
A small, strictly compartmentalised internal group (CISO, legal, senior IT risk) who are aware TLPT is underway while the rest of the organisation — including the SOC — remains unaware. Manages rules of engagement, legal authorisations, abort criteria, and liaison with the competent authority.
The 5-Phase TIBER-EU Methodology
DORA TLPT follows the TIBER-EU methodology, now legally binding for designated entities. Each phase has defined deliverables and requires specific interactions with the competent authority.
1
Preparation & Scoping
Define test scope and critical functions, engage competent authority, initiate provider procurement. Scope document submitted to NCA for validation. Duration: 4–8 weeks.
2
Threat Intelligence
TI provider produces the Targeted Threat Intelligence (TTI) report: adversary profiles, most likely TTPs, specific attack vectors for your institution's risk profile. Duration: 6–10 weeks.
3
Red Team Test
Covert attack simulation on live production systems. Blue team (SOC) is unaware. Attack scenarios derived from the TTI report. Abort/pause criteria active throughout. Duration: 8–12 weeks.
4
Closure & Purple Team
Red team reveals all attack paths. Joint RT + blue team (purple team) exercise: confirm exploitability, analyse detection gaps, document every weakness found and missed. Duration: 3–4 weeks.
5
Report & Attestation
TLPT report submitted to competent authority. Remediation plan drafted and formally agreed. Authority conducts attestation review and issues written attestation under Article 26(7). Duration: 4–8 weeks.
Selecting and Qualifying Your TLPT Providers
Provider qualification is one of the most consequential — and most often underestimated — aspects of TLPT preparation. Both your TI and RT providers must meet specific independence and competency requirements defined in the TLPT RTS. An NCA may reject a TLPT exercise if it finds providers did not meet requirements, forcing the entire cycle to restart.
Threat Intelligence Provider Requirements
The TI provider must demonstrate:
TI Provider Qualification Criteria
- Proven capability in financial-sector threat intelligence — not generic cyber threat feeds
- Access to primary intelligence sources (closed forums, C2 infrastructure analysis, dark web monitoring)
- Demonstrable experience profiling threat actors relevant to the EU financial sector (e.g. Lazarus Group, Carbanak, state-linked APTs)
- Complete independence from the Red Team provider and from the institution
- Capacity to produce the TTI report in the format required by the TIBER-EU TTI report template
- Contractual confidentiality covering TTI report contents (which describe live attack vectors)
Red Team Provider Requirements
The RT provider must demonstrate:
RT Provider Qualification Criteria
- TIBER-EU accreditation or equivalent NCA-recognised certification (accreditation lists maintained by DNB, BaFin, ACPR, Banca d'Italia, and other NCAs)
- Proven red team experience in financial services environments — not just general enterprise IT
- Capability to execute the full kill chain against live production: reconnaissance, initial access, lateral movement, exfiltration simulation
- Adequate professional indemnity insurance to cover potential production system impacts
- No prior relationship with the institution that would reduce operational realism
- Contractual obligation to follow Rules of Engagement and abort/pause protocols
Provider scarcity is real: The number of TIBER-EU-accredited red team providers in the EU is limited — estimates suggest fewer than 30–40 firms meet full qualification requirements across all member states. With 200+ designated entities all requiring TLPT within the first cycle, qualified providers are already booking 12–18 months in advance. Institutions that delay provider procurement risk being unable to complete TLPT before the January 2028 deadline.
NCA provider lists: Several NCAs maintain public or semi-public lists of TIBER-EU-approved TI and RT providers. The Dutch National Bank (DNB) and Deutsche Bundesbank/BaFin have published approved provider frameworks. Contact your NCA directly for the current approved list in your jurisdiction, or check ESA guidance documents for cross-border recognition arrangements.
TLPT Frequency and Planning Timeline
Mandatory Frequency
Designated entities must complete TLPT at least every 3 years. Your competent authority may require more frequent testing based on:
- A significant ICT incident affecting critical functions during the prior period
- Material changes to critical ICT infrastructure (major cloud migration, core system replacement)
- Prior TLPT findings that were not adequately remediated within agreed timelines
- Risk-based supervisory assessment indicating elevated threat exposure
TIBER-EU credit under DORA Article 26(5): A TIBER-EU test completed under the updated 2024+ framework before DORA entered into force counts as the first TLPT cycle. The 3-year clock starts from that test's completion date — not from January 2025.
Key Planning Milestones
| Milestone | Timing |
|---|---|
| Designation notification from supervisor | H1 2025 for large banks |
| Begin TI + RT provider procurement | 12–18 months before test |
| Scope agreement with competent authority | 8–10 months before test |
| Threat Intelligence (TI) phase | 6–10 weeks |
| Red Team (RT) test execution | 8–12 weeks |
| Purple team + closure | 3–4 weeks |
| Final report + attestation | 4–8 weeks |
| First mandatory TLPT deadline | 17 January 2028 |
Critical deadline — plan now: A full TLPT cycle from provider procurement to attestation takes 9–14 months. Entities targeting completion by January 2028 should begin provider procurement no later than Q1 2027 — and ideally in 2025 or 2026 to avoid provider scarcity. Institutions that have received their designation notification and have not yet begun planning are already behind schedule.
TLPT Reporting and Supervisory Attestation
TLPT Report Structure
The final TLPT report submitted to the competent authority must contain all of the following, per the TLPT RTS report template:
- Executive summary: scope, objectives, overall assessment and key findings
- TTI summary: threat actors profiled and attack scenarios selected
- Attack narrative: chronological account of the red team operation, including reconnaissance, access methods, and lateral movement paths
- Findings catalogue: each vulnerability with severity rating (CVSS or authority-specified equivalent)
- Detection analysis: what the blue team detected, when, and what was missed — including analysis of detection gaps
- Remediation plan: each finding mapped to an owner, priority level, and target remediation date
What the Authority Reviews for Attestation
The competent authority's attestation under Article 26(7) is substantive — not rubber-stamped. Before issuing attestation, authorities typically verify:
- Scope completeness: all critical functions covered; exclusions documented and justified
- Provider independence: TI and RT providers met qualification requirements
- Methodology compliance: test followed TLPT RTS framework; TTI report quality meets standards
- Findings completeness: all vulnerabilities documented with appropriate severity ratings
- Remediation plan credibility: each finding has an owner, priority, and realistic timeline
Conditional attestation: The authority may issue attestation subject to remediation of specific critical findings within a defined timeframe. Failure to meet those remediation commitments will be reviewed at the next SREP interaction.
Sharing and Confidentiality
- Reports shared only with the competent authority — not published or shared with third parties
- Pooled TLPT results may be shared proportionately with participating entities
- Cross-border results recognised by other EU supervisors under Article 26(5)
- Aggregated, anonymised findings may inform sector-wide ESA guidance publications
TLPT Cost and Budget Planning
TLPT is a material investment. Budget planning should begin at least 18 months before the test to secure provider capacity and obtain board-level budget approval. The following ranges reflect market pricing as of 2025-2026, based on industry surveys and TIBER-EU programme data.
€50–150K
Threat Intelligence (TTI) report — varies by depth of adversary profiling and scope of functions covered
€120–320K
Red Team execution — driven by scope breadth, test duration (8–12 weeks), and complexity of live production environment
€30–80K
White Team coordination, legal review, rules of engagement drafting, regulatory liaison
Variable
Remediation — cost depends on findings severity; critical findings can require €50K–€500K+ in infrastructure or process changes
€200–620K
Total typical cycle cost (ex. remediation) for a mid-to-large financial institution in the EU
Cost Reduction: Pooled TLPT
For institutions sharing critical ICT infrastructure with peer institutions — particularly cloud-hosted core systems — pooled TLPT under Article 26(5) can significantly reduce per-entity costs. In a pooled exercise, the total TLPT cost is divided proportionately among participating institutions. For three institutions sharing a CTPP-hosted core system, individual costs can fall to 40–50% of a standalone exercise. The coordination overhead is real (multiple White Teams, multi-authority sign-off) but the cost saving typically justifies it for infrastructure-sharing groups.
Budgeting for the Full 3-Year Cycle
Boards should understand that TLPT cost does not end with attestation. Remediation of findings — particularly critical and high-severity items — can substantially exceed the test cost itself. A TLPT revealing fundamental weaknesses in network segmentation or privileged access controls may require a multi-year remediation programme with dedicated budget. Best practice is to present the board with a total-cost-of-resilience-testing view: TLPT procurement + remediation investment + increased monitoring during the test period, amortised over the 3-year cycle.
Additionally, budget for the next cycle begins accumulating before the current one ends: provider procurement for cycle 2 starts 12–18 months after attestation is received for cycle 1.
TLPT vs All Other DORA Testing Requirements
DORA mandates a full programme of digital resilience testing under Article 25 (all entities) and Article 26 (designated entities). TLPT is the apex — it does not replace the mandatory annual baseline testing that all entities must conduct.
| Test Type | DORA Article | Who Must Do It | Frequency | Scope | Regulator Involvement |
|---|---|---|---|---|---|
| TLPT | Art. 26–27 | Significant entities designated by NCA | Every 3 years minimum | All critical/important functions, live production | High — attestation required |
| Vulnerability Assessments | Art. 25(1)(a) | All financial entities | Annual; after major changes | ICT systems supporting critical functions | Low — results kept internally |
| Network Security Assessments | Art. 25(1)(b) | All financial entities | Annual minimum | Network perimeter and segmentation | Low — internal |
| Gap Analysis / ICT Risk Review | Art. 25(1)(c) | All financial entities | Annual (linked to risk cycle) | ICT risk framework vs. DORA requirements | Low — feeds ICT risk report |
| Scenario-Based Testing | Art. 25(1)(d) | All financial entities | Regular — risk-based cadence | Critical function continuity, cyber scenarios | Medium — may be reviewed |
| Source Code Reviews | Art. 25(1)(e) | Entities with significant in-house dev | Before major releases; periodically | Internally developed ICT applications | None — internal audit |
| Open-Source Intelligence | Art. 25(1)(f) | All financial entities | Continuous / periodic | Digital footprint, exposed assets | None — feeds risk assessment |
Not sure where your testing programme stands across all 7 types? The Gap Analysis covers your full DORA testing obligations.
Run Free Gap Analysis5 Fatal Errors That Derail TLPT Programmes
Based on TIBER-EU exercise experience and DORA supervisory feedback, these are the five errors that most frequently invalidate TLPT results, delay attestation, or force costly re-runs.
1
Tipping Off the Blue Team
The most common and most damaging error. TLPT's core value is measuring actual detection capability — how quickly your SOC identifies a sophisticated attacker operating in your environment. If any member of the blue team (SOC analysts, monitoring personnel, incident responders) is aware that TLPT is underway, detection metrics become meaningless. Even well-intentioned informal briefings ("stay alert this month") contaminate results. The White Team must be strictly limited to the absolute minimum needed for legal and operational management — typically three to five people. Any breach should be documented and reported to the competent authority immediately, as it may require scope adjustment or partial replay.
2
Starting Provider Procurement Too Late
Given that a full TLPT cycle takes 9–14 months from provider selection to attestation, and that the January 2028 deadline is non-negotiable, institutions must begin procurement no later than Q1 2027. In practice, with 200+ designated entities competing for fewer than 40 qualified red team providers, starting in 2025-2026 is strongly advisable. Late procurement forces institutions to choose from whatever provider capacity remains — typically smaller, less experienced firms. The competent authority may reject a TLPT conducted by a provider that does not meet qualification requirements, forcing a restart. TLPT programme planning should be on the CISO's agenda now, not in 2026.
3
Generic Threat Intelligence with No Institution-Specific Profiling
The Targeted Threat Intelligence report must be genuinely targeted — specific to your institution's business model, market position, geographic exposure, and technology stack. A generic "EU financial sector threat landscape" report does not satisfy TLPT requirements and will not produce meaningful attack scenarios for the red team. Common symptoms of poor TTI: attack scenarios that apply equally to any bank; adversary profiles with no institution-specific indicators; no analysis of your specific third-party dependencies, supply chain, or publicly exposed assets. Competent authorities reviewing TLPT reports have flagged generic TTI as a basis for conditional or withheld attestation.
4
Inadequate Scope Definition
Deliberately or inadvertently excluding critical systems from TLPT scope is the fastest path to conditional attestation or enforcement action. Common scope failures include: excluding critical-function systems hosted by third parties because "the provider won't allow it" (DORA requires contractual testing rights — negotiate these in advance); excluding legacy systems without documented justification; defining "critical functions" too narrowly to avoid testing complexity; and scoping out recently acquired business lines. The competent authority's scope validation in Phase 1 is specifically designed to catch these failures before the test begins — but institutions that present artificially narrow scope proposals may receive them back with expansion requirements that delay the entire programme.
5
Weak Remediation Governance After Attestation
Attestation is not the end of the TLPT cycle — it is the beginning of the remediation phase. Institutions that treat TLPT as a box-ticking exercise complete once attestation is received, without building genuine remediation governance, face predictable consequences: critical findings are still open at the next SREP interaction; supervisors ask for evidence of remediation progress that does not exist; and the institutional learning from the test — the real resilience value — evaporates. Best practice requires: each finding assigned a named owner with board-level accountability; quarterly remediation progress reports to the risk committee and board; a formal closure process for each finding with evidence of verification; and integration of lessons learned into the next testing cycle plan, the ICT risk management framework, and operational monitoring rules.
TLPT Implementation Checklist
Use this checklist to assess your readiness for TLPT — whether you are preparing for your first cycle or reviewing your posture before the next one.
- Threat Intelligence (TI) provider selected — TIBER-EU accredited or NCA-recognised equivalent
- Red Team (RT) provider selected — independent from TI provider and from your institution, TIBER accredited
- Both providers verified against your NCA's approved provider list (where published)
- TI and RT contracts reviewed for DORA Article 26 requirements (independence, confidentiality, deliverables, RoE obligations)
- Professional indemnity insurance coverage confirmed for both providers (adequate to cover production system risk)
- Rules of Engagement (RoE) document drafted and signed by all parties — including abort/pause criteria
- White Team members identified and briefed — strictly limited to minimum required (3–5 people)
- Targeted Threat Intelligence (TTI) report received, reviewed, and validated as institution-specific (not generic)
- Test scenarios derived from TTI report and formally approved by competent authority before RT phase begins
- Red team access and authorisations formally documented — no "friendly fire" risk with SOC or incident responders
- Crisis management and legal counsel briefed on test timeline under White Team compartmentalisation protocol
- Abort/pause criteria defined and communicated to White Team (critical zero-day, production instability, real incident overlap)
- SOC/blue team detection logging captured in full during test period for purple team analysis — do not alter monitoring rules
- Purple team exercise conducted — all attack paths walked through jointly by RT and blue team, detection gaps documented
- Final TLPT report drafted: findings catalogued, severity rated, detection gaps analysed per TLPT RTS report template
- Remediation plan prepared: each finding has a named owner, priority level (Critical/High/Medium/Low), and target date
- TLPT report submitted to competent authority in required format
- Formal attestation received from competent authority under Article 26(7)
- Remediation governance established: quarterly board reporting, named accountable owners for each finding
- Lessons learned integrated into ICT risk management framework, monitoring rules, and next testing cycle plan
Check your TLPT readiness score across all 5 phases with our free interactive tool — includes a maturity rating.
TLPT Readiness CheckerTLPT Frequently Asked Questions
Key questions about TLPT in practice. For broader DORA compliance questions, see our full DORA FAQ.
Is TLPT the same as a standard penetration test?
No — TLPT is fundamentally different in four ways: (1) Intelligence-led — driven by real Targeted Threat Intelligence specific to your institution, not generic attack scenarios; (2) Live production scope — tests conducted on live systems, not test environments; (3) External mandatory — DORA requires accredited external Red Team and TI providers; internal teams cannot fulfil these roles; (4) Regulatory oversight — your competent authority is formally involved at every phase and issues a binding attestation. A standard penetration test has none of these characteristics and does not substitute for TLPT.
How does my institution know if it must conduct TLPT?
Your national competent authority (NCA) formally designates entities for TLPT and sends written notification. If you have not received this notification, you are not currently required. Key designation triggers include total assets above approximately €30 billion (for banks under SSM supervision), systemic importance classification (G-SII/O-SII), cross-border relevance, or SREP results indicating material ICT risk. Entities close to these thresholds should monitor their supervisory correspondence and can contact their NCA proactively. The designation list is updated periodically — being below-threshold today does not guarantee continued exemption.
Can we use an internal red team for TLPT?
No. DORA Article 26(2) explicitly requires the Red Team provider to be an external party, independent of the financial entity. This independence requirement prevents conflicts of interest and ensures the red team has no prior internal knowledge. The Threat Intelligence provider must also be independent from both the entity and the Red Team. However, internal security staff serve a critical supporting role as the "White Team" — coordinating test logistics, managing rules of engagement, and liaising with the competent authority. The Blue Team (SOC, defenders) must remain unaware that TLPT is underway until the purple team phase.
What is the "white team" and why does it matter?
The White Team is a small, strictly compartmentalised internal group (typically CISO, legal counsel, senior IT risk officer, crisis management representative — maximum 3–5 people) who are aware TLPT is underway while the rest of the organisation remains unaware. The White Team manages rules of engagement and legal authorisations, defines abort/pause criteria, serves as the single point of contact with the competent authority during the test, and ensures the red team has necessary access without triggering real incident responses. Keeping the White Team minimal and compartmentalised is critical — any leak to the Blue Team invalidates detection measurement and may require scope adjustment or partial test replay.
What happens if the red team finds a critical zero-day during a live test?
The Rules of Engagement document (agreed before testing begins) defines abort and pause criteria, including discovery of critical zero-day vulnerabilities posing immediate risk to live operations or customer data. If the red team discovers such a vulnerability, the White Team can invoke an emergency pause: the vulnerability is immediately disclosed to the CISO, remediation begins, and the test resumes once the critical risk is mitigated. The TLPT RTS also requires contingency procedures for scenarios where red team activity inadvertently causes system instability. All such events must be documented and included in the final TLPT report submitted to the competent authority — they do not invalidate the TLPT, but they must be transparently disclosed.
How is a previous TIBER-EU test counted under DORA?
DORA Article 26(5) explicitly states that a TIBER-EU test completed under the updated 2024+ framework before DORA's application date (17 January 2025) counts as the first TLPT cycle. The 3-year mandatory clock starts from that test's completion date. This means an institution that completed a TIBER-EU 2024 test in, say, October 2024 would not need to complete its first DORA TLPT until approximately October 2027 — well within the January 2028 deadline. Institutions that can credibly claim TIBER-EU credit should document this clearly in their regulatory correspondence with their NCA to avoid an unnecessary early-cycle TLPT obligation.
Does TLPT need to cover third-party ICT providers?
Yes — where third-party ICT providers host or operate systems supporting critical or important functions, those systems must be within TLPT scope. This includes CTPP-hosted cloud infrastructure supporting core banking, payment processing, or insurance platforms. The financial entity must have contractual audit and testing rights in place (required under DORA Article 30) enabling the red team to test third-party-hosted systems. CTPPs are expected to cooperate with TLPT exercises. For pooled TLPT under Article 26(5), multiple institutions sharing the same third-party infrastructure can conduct a joint exercise, dividing costs proportionately while satisfying all their individual TLPT obligations.
What does the competent authority verify before issuing attestation?
The attestation under Article 26(7) is substantive. Authorities verify: (1) scope compliance — all critical functions covered, exclusions justified; (2) provider independence and qualifications — TI and RT providers met requirements; (3) methodology compliance — test followed TLPT RTS framework, TTI report quality met standards; (4) findings completeness — all vulnerabilities documented with appropriate severity ratings; (5) remediation plan adequacy — each finding has an owner, priority level, and realistic timeline. Attestation may be conditional on critical finding remediation within a defined timeframe. Authorities who find significant methodology gaps may withhold attestation pending corrective measures — which may require supplementary testing.
Can a TLPT finding result in a DORA fine?
Finding vulnerabilities in TLPT does not itself trigger fines — TLPT is designed to find and fix weaknesses. What can trigger enforcement: (1) failure to conduct TLPT when designated; (2) missing the January 2028 deadline; (3) materially inadequate scope; (4) failure to remediate critical findings within the timeframe agreed with the competent authority; (5) TLPT findings that reveal systematic ICT governance failures under DORA Articles 5–16. In the last scenario, the TLPT findings serve as evidence of broader compliance failures that existed before the test — the test itself is not the violation, but it is the evidence that supports enforcement.
How should TLPT findings be prioritised for remediation?
Best practice — consistent with supervisory expectations — prioritises by a combination of exploitability (how easily a real attacker could use this finding), impact on critical functions (does exploitation affect payment processing, core banking, or customer data?), and detectability (would your current monitoring catch an exploitation attempt?). Critical findings — high exploitability, high impact, low detectability — should be remediated within 30–90 days. High findings within 90–180 days. Medium and low findings within the next cycle planning window. All remediation progress should be reported to the board quarterly and to the competent authority at the next SREP interaction. Failing to achieve remediation timelines agreed with the authority is itself a compliance risk.
Ready to Assess Your TLPT Posture?
Use our free TLPT Readiness Checker, download the full RTS TLPT guide, or get expert guidance on your DORA testing programme.
TLPT Readiness Checker Download TLPT Guide Expert Guidance