Skip to content

Services, Wiki-Artikel und Blog-Beiträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

DORA Art. 26 · TIBER-DE · RTS 2025/1190

Threat-Led Penetration Testing - DORA TLPT under TIBER-DE

DORA Art. 26 obliges significant financial institutions to conduct Threat-Led Penetration Tests against live production systems. The DORA-TLPT-RTS (EU 2025/1190, in force from 8 July 2025) specifies requirements for RTT providers, TI providers and the three-phase process. AWARE7 conducts these regulatory-recognised engagements as a qualified RTT provider under TIBER-DE - with transparent methodology and a binding fixed-price quote.

Schedule initial consultation Red Teaming overview
17
RTS articles
Regulation EU 2025/1190
12+
weeks testing
minimum (RTS)
5
years experience
required for RT test leader
10
weeks purple team
deadline from test end
TLPT cycle
at least every 3 years
500+
pentests
AWARE7 references

DORA Art. 26 and the TLPT-RTS 2025/1190

EU Regulation (EU) 2022/2554 (DORA) has been directly applicable since 17 January 2025. The Commission Delegated Regulation (EU) 2025/1190 - the DORA-TLPT-RTS - specifies Art. 26 with 17 articles and 8 annexes. It entered into force on 8 July 2025.

  • TLPT obligation (Art. 26 DORA): Significant financial institutions are required by BaFin / Deutsche Bundesbank to conduct Threat-Led Penetration Tests - at least every three years. The authority may shorten this cycle.
  • Live production systems (no staging): TLPT is directed exclusively against live production systems that host critical functions (CIF) of the institution. Test environments and staging systems do not fulfil the regulatory requirement.
  • RTT and TI providers: qualification obligation (RTS Art. 5): The Red Team Test Leader must demonstrate at least 5 years of proven experience in penetration testing/red teaming and 5 documented reference engagements. Team size: at least 3 persons each with ≥ 2 years of experience. Recognised certifications: OSCP+, CREST CCRTS, GIAC GCIH, CompTIA PenTest+.
  • Provider independence (Art. 26(9) DORA): The RTT provider and TI provider must be fully independent of each other and may not have any economic connection to the entity being tested. Group membership precludes engagement.
  • Involving third-party providers (Art. 26(8) DORA): If critical ICT functions are outsourced to external providers (e.g. cloud providers, core banking SaaS), these must be included in the TLPT scope definition. The financial institution remains responsible for the overall process.
  • Regulatory oversight and closure report: Scope, methodology and results are coordinated with the authority. After completion of the closure phase, a closure report must be submitted containing purple team findings, remediation plan and MITRE ATT&CK documentation.

RTS 2025/1190: Commission Delegated Regulation (EU) 2025/1190 was published in the EU Official Journal on 13 February 2025 and has been in force since 8 July 2025. It supersedes the previous TIBER-EU guidelines as the binding legal basis. TIBER-DE was fully aligned with it in February 2025.

Deadlines and milestones after authority notification

After official notification by BaFin or Deutsche Bundesbank, binding deadlines begin. Typical total duration: 5-7 months.

  1. Day 0

    Authority notification

    BaFin or Deutsche Bundesbank (TCT) identifies the institution and initiates the TLPT process. The institution selects the RTT provider (AWARE7) and TI provider.

  2. 3 months

    Nominate control team

    The white team (control team) must be reported to the authority. It typically consists of CISO, board/management and legal/compliance. Kick-off RTT provider: Generic Threat Landscape (GTL) commences.

  3. 6 months

    Generic Scope Document (GSD) submitted

    Scope for Scoping Document (SSD) / Generic Scope Document with defined critical functions (CIF) is agreed with the authority and submitted. TI provider begins threat intelligence collection.

  4. Active phase

    Red Team Test - minimum 12 weeks

    TI provider delivers the Targeted Threat Intelligence Report (TTI). AWARE7 red team commences attack simulation against live production systems. MITRE ATT&CK documentation of all techniques, tactics and artefacts.

  5. +10 weeks

    Purple team exercises completed

    Mandatory deadline: within 10 weeks after end of active test phase, purple team exercises must be conducted and documented. Red team and SOC jointly work through attack chains and detection improvements.

  6. Closure

    Closure report submitted to authority

    Closure report with findings, remediation plan, purple team results and MITRE ATT&CK mapping is submitted to BaFin / Deutsche Bundesbank (TCT). Lessons-learned session with board and CISO.

DORA TLPT vs. conventional penetration test

TLPT is not an extension of a pentest - it is a fundamentally different testing methodology.

Characteristic DORA TLPT Conventional pentest
Basis Real threat intelligence (TTI report) Standard methodology (OWASP, PTES)
Systems Live production (mandatory under RTS) Staging / production - selectable
Blue team Uninformed (realistic condition) Often informed
Scope Critical functions (CIF) Freely definable
Regulation Authority approves, closure report to BaFin No regulatory framework
Duration 5-7 months (min. test phase 12 weeks) 3-10 days
TI provider Mandatory (independent, RTS Art. 5) Not required
Purple team Mandatory within 10 weeks after test end Optional
Recognised for DORA Art. 26 evidence (regulatory) ISMS audit, ISO 27001, NIS-2
Cost €140,000-560,000 (market average) €5,000-50,000

The TIBER-DE process in three phases

TIBER-DE prescribes a three-part process. AWARE7 fulfils the RTT role (Red Team Test provider).

  1. 01

    Preparation Phase

    4-6 weeks
    • Scope definition jointly with white team and supervisory authority (BaFin / Deutsche Bundesbank TCT)
    • CIF assessment: 4-dimensional analysis of critical functions
    • Engagement of the independent TI provider (mandatory under RTS Art. 5)
    • RTT kick-off: Generic Threat Landscape (GTL) by AWARE7
    • Sign Rules of Engagement (RoE), create Generic Scope Document (GSD)
  2. 02

    Testing Phase

    ≥ 12 weeks (RTS mandatory)
    • TI provider delivers Targeted Threat Intelligence Report (TTI) based on dark web sources, OSINT and sector intelligence
    • AWARE7 red team plans campaign based on the TTI - institution-specific, no generic attacks
    • Active attack simulation against live production systems (critical functions)
    • MITRE ATT&CK documentation of all techniques, tactics, procedures (TTPs) with timestamps
    • Ongoing briefing of white team (blue team / SOC remains uninformed)
  3. 03

    Closure Phase

    4-6 weeks
    • Purple team exercises (mandatory within 10 weeks after end of active phase): replaying attack chains jointly with SOC/blue team
    • Remediation planning and prioritised recommendations for action
    • Preparation of closure report in accordance with TIBER-DE / RTS 2025/1190 requirements
    • Submission to BaFin / Deutsche Bundesbank (TCT) - evidence of DORA Art. 26 fulfilment
    • Lessons-learned session with board and CISO

Critical or Important Functions (CIF) - the scope core of every TLPT

DORA Art. 2 and RTS Art. 8-12 define which functions are to be classified as Critical or Important Functions (CIF). The CIF assessment is the basis of the entire scope definition and is carried out jointly with the white team and the authority during the preparation phase.

1. Financial stability

Functions whose failure would endanger the financial stability of the institution or the financial sector - e.g. liquidity management, capital calculation, supervisory reporting.

2. Systemic interconnection

Functions that, if compromised, would have systemic impact on other market participants - e.g. interbank clearing, TARGET2 interfaces, CCPs.

3. Replaceability

Functions that cannot be taken over by replacement systems within a reasonable timeframe - e.g. proprietary core banking systems without redundancy, critical trading platforms.

4. Regulatory continuity

Functions essential for supervisory reporting and compliance - e.g. reporting systems, AML/KYC infrastructure, MiFID reporting.

Typical CIF systems in practice:

Core banking systemPayment processingTARGET2 connectionOnline banking platformTrading platformAuthentication infrastructureReporting systemAML/KYC engineClearing & SettlementMobile banking app

Why AWARE7 as RTT provider under RTS 2025/1190?

The DORA-TLPT-RTS sets clear requirements for red team test providers. AWARE7 meets all of them.

OSCP+-certified team

11 offensive security consultants, including 4 × OSCP+ (OffSec). Multiple CVE authors (Adobe, WooCommerce, Pi-hole). Led by Vincent Heinen, M.Sc. IT Security (RUB), Head of Offensive Services. Meets RTS Art. 5: RT test leader ≥ 5 years, team size ≥ 3 persons.

Financial sector references (BaFin-regulated)

Engagements at BaFin-regulated institutions - including multi-year red team exercises for credit institutions and payment service providers under regulatory requirements. More than 500 completed penetration test projects.

ISO 27001 certified (since 2022)

AWARE7 GmbH is certified to ISO/IEC 27001:2022. Auditors, clients and authorities accept our ISMS certification as a quality credential. Important for RTT provider qualification under TIBER-DE procurement guidelines.

Hiscox E&O insurance (mandatory evidence)

Professional indemnity insurance (Errors & Omissions) with Hiscox SA for €3,000,000 under the NET IT by Hiscox product. Mandatory evidence in the TIBER-DE procurement process - verifiable by authority and white team.

MITRE ATT&CK documentation

Complete documentation of all attack techniques under MITRE ATT&CK Enterprise: tactics, techniques, procedures (TTPs) with timestamps and artefacts. RTS-compliant closure report included. Purple team preparation from day one.

Data stored in Germany

AWARE7 is a German company based in Gelsenkirchen. All test data is processed exclusively on German servers. No data transfer to third countries - relevant for BSI-KRITIS, regulatory data protection requirements and banking secrecy.

Which institutions are affected by DORA TLPT?

RTS Art. 2 (EU 2025/1190) sets objective thresholds. Beyond these, the authority designates further institutions based on a risk analysis.

Automatically included under RTS Art. 2:

  • O-SII / G-SIB: Systemically important credit institutions and investment firms under direct ECB supervision (SSM) are automatically required to conduct TLPT.
  • Insurance undertakings: Non-life and life reinsurers with gross written premiums (GWP) exceeding €500 million.
  • Payment service providers: Payment institutions and e-money institutions with a transaction volume exceeding €120 billion per year.

Systemically important banks

O-SII/G-SIB automatically; others following BaFin risk assessment

Insurance undertakings

BaFin-supervised primary and reinsurers > €500m GWP

Payment service providers

Payment institutions, e-money institutions > €120bn transaction volume

Investment firms

CRR investment firms and larger investment houses

Central counterparties

CCPs, central securities depositories (CSDs), trading venues

On regulatory direction

Smaller institutions may be included by regulatory order

Exempt under DORA Art. 16 are small non-interconnected financial institutions. The exact classification is made by BaFin or Deutsche Bundesbank.

Costs and budget planning for DORA TLPT

TLPT engagements are substantially more extensive than conventional penetration tests - the costs reflect duration, team size and regulatory overhead.

RTT provider (AWARE7)

€80,000 - €300,000

Scope complexity, number of CIF systems, duration of active phase (min. 12 weeks), team size (min. 3 persons per RTS)

TI provider (separate)

€30,000 - €80,000

Targeted Threat Intelligence Report (TTI): dark web research, OSINT, malware analysis, sector intelligence. Must be independent of the RTT provider.

Internal coordination costs

€30,000 - €180,000

White team effort, legal/compliance, external legal advice, authority coordination, CISO time, remediation implementation

Σ

Total TLPT cost: €140,000 - €560,000

Market average for first TLPT engagements at large German banks: approx. €300,000-450,000. AWARE7 provides a binding fixed-price quote - no hourly rates, no retrospective claims. Quote within 48 hours of initial consultation.

TIBER-DE in international comparison

TIBER-DE is part of a global ecosystem of regulatory red team frameworks. All follow the three-phase approach and mandate genuine threat intelligence.

Framework Country / Region Authority Since Basis
TIBER-DE Germany Deutsche Bundesbank / BaFin 2019 TIBER-EU / DORA
CBEST United Kingdom Bank of England 2014 Standalone
TIBER-EU EU (cross-border) ECB 2018 Reference framework
TIBER-NL Netherlands DNB 2016 TIBER-EU
TIBER-SE Sweden Riksbank 2020 TIBER-EU
TIBER-BE Belgium BNB 2019 TIBER-EU
iCAST Hong Kong HKMA 2021 CBEST/TIBER-EU
CORIE Australia RBA / APRA 2020 Standalone

A TIBER-DE completion can in certain constellations be mutually recognised across multiple EU jurisdictions - particularly for institutions with subsidiaries in several EU member states.

Frequently asked questions about DORA TLPT and TIBER-DE

Threat-Led Penetration Testing (TLPT) is a mandatory assessment for significant financial institutions under the DORA Regulation (EU) 2022/2554, Art. 26. Unlike a classical penetration test, TLPT is based on genuine threat intelligence (Targeted Threat Intelligence) about current adversaries specifically targeting the institution or the sector. The red team simulates these real-world adversaries against live production systems - including critical functions such as payment processing or core banking systems. The entire process is under regulatory oversight and must be reported to the competent authority (BaFin / Deutsche Bundesbank).
Art. 26 DORA obliges those financial institutions that are identified by the competent authority (in Germany: BaFin or Deutsche Bundesbank) on the basis of a risk assessment. The DORA-TLPT-RTS (Regulation EU 2025/1190, in force from 8 July 2025) specifies thresholds: automatically included are credit institutions and investment firms of the O-SII/G-SIB category, insurance undertakings with a GWP exceeding €500 million, and payment service providers with a transaction volume exceeding €120 billion. Small non-interconnected institutions are exempt. Affected institutions must conduct TLPT at least every three years.
A conventional penetration test examines defined systems for known vulnerabilities - the scope is narrow, the blue team is usually informed, the methodology is standardised, and the duration is 3-10 days. TLPT goes fundamentally further: (1) It is based on a specific Targeted Threat Intelligence Report (TTI) by a certified TI-provider for that specific institution; (2) testing is against live production systems, not staging; (3) the blue team (SOC) does not know that a test is taking place; (4) the entire process takes 5-7 months including preparation, active testing phase (minimum 12 weeks) and purple-team closure; (5) scope, methodology and results are coordinated with BaFin / Deutsche Bundesbank.
TIBER-DE (Threat Intelligence-Based Ethical Red-Teaming) is the Deutsche Bundesbank's framework for regulatory-recognised red team tests in the German financial sector. It was introduced in 2019 and fully aligned with DORA TLPT requirements in February 2025. TIBER-DE is the methodology approved in Germany for fulfilling the DORA Art. 26 obligation. Engagements under TIBER-DE are coordinated by the TIBER Cyber Team (TCT) of the Bundesbank and recognised by the supervisory authority.
A TIBER-DE engagement is structured in three mandatory phases: (1) Preparation Phase (4-6 weeks after authority notification): scope definition with the authority, control team nomination (deadline: 3 months), white team setup, TI-provider engagement, Generic Scope Document (GSD, deadline: 6 months). (2) Testing Phase (minimum duration 12 weeks): TI-provider delivers the TTI report, AWARE7 red team plans campaign and commences active attack simulation against live production systems, MITRE ATT&CK documentation of all techniques. (3) Closure Phase: purple team exercises (mandatory, within 10 weeks after end of active phase), remediation plan, closure report and submission to BaFin / Deutsche Bundesbank. Total duration: typically 5-7 months.
There is no formal state accreditation for TIBER-DE RTT providers. The selection lies with the financial institution, which qualifies the RTT provider based on TIBER-DE procurement guidelines and RTS requirements. The Bundesbank (TCT) reviews whether the provider meets the requirements during the scope definition phase. Under RTS Art. 5, the Red Team Test Leader must have at least 5 years of relevant experience and 5 proven references. Further requirements: recognised offensive certifications (e.g. OSCP+, CREST CCRTS), adequate professional indemnity insurance and full independence from the entity being tested.
AWARE7 meets all RTS requirements for RTT providers: (1) Offensive security team with 11 consultants, including 4 × OSCP+ (OffSec), multiple CVE authors (Adobe, WooCommerce, Pi-hole); (2) ISO/IEC 27001:2022 certification; (3) professional indemnity insurance with Hiscox (€3m E&O, NET IT); (4) demonstrated red team experience at BaFin-regulated financial institutions (credit institutions, insurers, payment service providers); (5) application of the TIBER-DE methodology in past engagements under the leadership of Vincent Heinen (Head of Offensive Services, M.Sc. IT Security, RUB); (6) MITRE ATT&CK documentation for every engagement; (7) data stored in Germany.
Critical or Important Functions (CIF) are the core of every TLPT scope. Under DORA Art. 2 and the RTS, functions are classified as critical if: (1) their failure would endanger the financial stability or regulatory continuity of the institution; (2) their compromise would have systemic impact on other market participants; (3) they could not be taken over by replacement systems within a reasonable time; or (4) they are essential for regulatory reporting. Typical CIF: core banking system, payment processing, authentication infrastructure, operational trading platforms, supervisory reporting. The CIF assessment is carried out jointly with the white team and the authority during the preparation phase.
TLPT under DORA targets the critical functions (CIF) of the institution - the systems that would have systemic consequences if disrupted or compromised. Scope typically covers core banking systems, payment infrastructure, authentication systems and operational databases. The precise scope definition takes place in the preparation phase together with the white team and the supervisory authority in the Generic Scope Document (GSD). Testing is exclusively against live production systems - no staging, no test environment.
TIBER-DE-compliant engagements start at AWARE7 as RTT provider from approx. €80,000 (net). The market range for RTT providers is typically between €80,000 and €300,000 - depending on scope complexity, duration of the active phase (minimum 12 weeks) and team size. The separately commissioned costs of the TI-provider for the TTI report (typically €30,000-80,000) are additional. A complete TLPT engagement therefore falls within a market average of €140,000-560,000. AWARE7 provides a binding fixed-price quote - no hourly rates, no retrospective claims.
The white team is the coordination unit of the institution that has the full overview of the engagement. It typically consists of senior management/board, CISO and optionally legal/compliance. The white team acts as the link between the RTT provider, TI-provider and supervisory authority. It approves the scope, knows the test period and makes emergency decisions. The operational IT/security team (blue team/SOC) is deliberately kept uninformed to ensure realistic detection conditions.
Under RTS Art. 6, institutions may use internal testers under certain conditions: the internal red team must be fully separated from the function it is testing. For significant credit institutions under direct ECB supervision (SSM institutions): they must always engage external RTT providers. For other institutions: a maximum of two consecutive TLPTs may be conducted internally; the third must be external. The qualification requirements under RTS Art. 5 apply to internal testers identically as to external providers.
The purple team phase is a mandatory component of every TLPT under the RTS and TIBER-DE and must take place within 10 weeks of the end of the active test phase. In the purple team exercise, attack chains are replayed jointly by the red team (AWARE7) and the blue team (SOC of the institution): the red team shows how an attack played out - the blue team learns how it should have been detected and stopped. The objective is knowledge transfer, detection improvement and preparation of the remediation plan. Without documented purple team exercises, the TLPT closure is not recognised by the regulator.
Yes - TIBER-DE is part of a global ecosystem of comparable frameworks: CBEST (UK, since 2014, Bank of England), TIBER-NL (Netherlands, DNB), TIBER-SE (Sweden, Riksbank), TIBER-BE (Belgium, BNB), TIBER-DK (Denmark), iCAST (Hong Kong, HKMA), CORIE (Australia, RBA). All follow the three-phase approach (Preparation / Testing / Closure), mandate genuine threat intelligence and have a 3-year cycle. TIBER-EU (ECB) is the overarching reference framework from which DORA Art. 26 is methodically derived. A TIBER-DE completion can in certain constellations be mutually recognised across multiple jurisdictions.
After notification by BaFin / Deutsche Bundesbank, the following binding deadlines apply: (1) 3 months: Control Team (white team) must be nominated and reported to the authority. (2) 6 months: Generic Scope Document (GSD) / Scope for Scoping Document (SSD) must be agreed and submitted. (3) Active test phase: minimum duration 12 weeks (specified by RTS). (4) Purple team exercises: mandatory, within 10 weeks after end of active phase. (5) Closure report: submission to the authority after completion of the closure phase. Total duration from notification to closure: typically 5-7 months.
Commission Delegated Regulation (EU) 2025/1190 (DORA-TLPT-RTS) was published on 13 February 2025 and entered into force on 8 July 2025. It contains 17 articles and 8 annexes and specifies the DORA Art. 26 requirements: (1) Article 2: Thresholds for affected institutions. (2) Article 5: Qualification requirements for RTT and TI providers (5 years' experience, 5 references for test leader). (3) Article 6: Conditions for internal testers. (4) Articles 8-12: CIF assessment framework and scope process. (5) Articles 13-15: Requirements for the TTI report. (6) Annexes 1-8: Templates for GSD, TTI report, closure report and other mandatory documents.

Your contact for DORA TLPT

Vincent Heinen
Vincent Heinen

Abteilungsleiter Offensive Services

E-Mail
PGP 1DDAA57F2B972787

M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.

Responsible Disclosures: CVE-2023-0865 CVE-2025-43579 CVE-2025-53533
OSCP+ OSCP OSWP OSWA
Vollständiges Profil ansehen
Murat Altindis
Murat Altindis

Offensive Security Consultant

E-Mail
PGP 0x33B690E9

B.Sc. Praktische Informatik. Penetrationstester bei der AWARE7 GmbH seit 2024 und seit 2022 in der IT-Sicherheitsbranche aktiv. Schwerpunkte: Web-, Infrastruktur- und Active-Directory-Pentests, Code-Reviews, IoT/Hardware-Security sowie Konzeption und Durchführung von Cybersecurity-Schulungen. Davor mehrere Jahre in Software- und App-Entwicklung sowie Testautomatisierung tätig.

Hack The Box Certified Penetration Testing Specialist (HTB CPTS)
Vollständiges Profil ansehen
Maria Kessler
Maria Kessler

Offensive Security Consultant

E-Mail
PGP 0x1E5F5FE3

Werkstudentin Offensive Security bei der AWARE7 GmbH und seit 2022 in der IT-Sicherheit aktiv. Bachelorstudium IT-Sicherheit / Informationstechnik an der Ruhr-Universität Bochum mit Schwerpunkt auf TLS/SSL und kryptografischen Protokollen. Mehr als ein Jahr Praxis in Pentests auf Web- und Infrastrukturebene sowie Code-Reviews.

Vollständiges Profil ansehen

Related services

Red Teaming

APT simulation for all industries - technical, social engineering, physical.

DORA Compliance Consulting

Full DORA implementation: ICT risk management, incident reporting, Art. 30.

Penetration Testing

Technical security assessments for web, network, cloud and mobile.

Fixed-price quote in 48h

Planning a DORA TLPT?

We discuss scope, CIF assessment, timeline and authority coordination - free and non-binding. You receive a binding fixed-price quote within 48 hours.

Schedule initial consultation +49 209 8830 6760