DORA Art. 26-27 | Financial Sector

TIBER-EU & TLPT:
Threat-Led Penetration Testing
under DORA.

DORA requires systemically relevant financial institutions to conduct Threat-Led Penetration Tests every three years - on live production systems, supervised by the competent authority, and based on real threat intelligence.

Schedule TLPT Consultation View Red Teaming Services

Last updated: March 2026 - References: DORA Art. 26-27, TIBER-EU

Legal Basis

DORA

Art. 26-27, Threat-Led Penetration Testing

Test Cycle

Every 3 Years

Obligation for systemically relevant institutions

TIBER Phases

3 Phases

Preparation, Testing, Closure

Provider Roles

TCT+TI+RT

Three independent roles required

TLPT obligation for authority-identified institutions: Every 3 Years; TLPT obligation for authority-identified institutions
Tests on production environment required: Live Systems; Tests on production environment required
DORA in force since 17 January 2025: Jan. 2025; DORA in force since 17 January 2025
Preparation - Testing - Closure: 3 Phases; Preparation - Testing - Closure

Fundamentals

What is Threat-Led Penetration Testing?

TLPT (Threat-Led Penetration Testing) is a highly specialised form of red team testing in which an accredited red team simulates realistic attacks on a financial institution based on real threat intelligence - directly on live production systems.

The decisive difference from a classic penetration test: TLPT is threat intelligence-based. Before the red team begins, a Threat Intelligence Provider analyses which APT groups, attack patterns, and tactics would realistically be deployed against this specific institution. This Targeted Threat Intelligence Report (TTIR) becomes the blueprint for the attack.

DORA Art. 26-27 makes TLPT mandatory for systemically relevant financial institutions and anchors the TIBER-EU framework of the European Central Bank as the European standard. National implementations exist across the EU: TIBER-DE (Germany), TIBER-NL (Netherlands), TIBER-BE (Belgium), and others.

Criterion	TLPT	Red Teaming	Pentest
Basis	Threat Intelligence (TTIR)	Objective definition	Scope document
Test Systems	Live Production	Prod. or test	Usually test env.
Supervision	Authority supervised	Internal	Internal
Duration	6-12 months	4-8 weeks	1-4 weeks
Attestation	EU-wide recognised	Internal	Internal

TLPT / TIBER-EU at a Glance

Legal Basis: DORA Art. 26-27 (EU 2022/2554)
DORA Applies Since: 17 January 2025
Framework: TIBER-EU (ECB) / national implementations (TIBER-DE, TIBER-NL, etc.)
Interval: At least every 3 years
Test Systems: Live production systems mandatory
Competent Auth.: National supervisory authority (e.g. Deutsche Bundesbank & BaFin in DE)

DORA has been in force since January 2025

Systemically relevant institutions must set up their TLPT planning now. Accredited providers have limited capacity - allow for lead times.

TIBER-EU Framework

The Three Phases of a TIBER-EU Test

TIBER-EU defines a structured, three-phase process. Each phase has clear deliverables, roles, and supervisory control points. Total project duration: typically 6 to 12 months depending on institution size.

White Team

Internal Coordination Team

A small group of internal experts who know and coordinate the test. Interface with the supervisory authority. Can halt the test.

Red Team

External Attacker Provider

Accredited external service provider simulating realistic attacks based on the TTIR. Fully independent from the institution.

Blue Team

Internal Defence (SOC)

Security Operations Centre and Incident Response - do NOT know about the test. Only briefed in the Closure Phase (Purple Teaming).

Preparation & Scoping

Preparation Phase 4-8 weeks

Definition of the test scope together with the supervisory authority (national competent authority, e.g. Deutsche Bundesbank/BaFin in Germany, or the relevant national authority in your EU member state). Commissioning of an accredited Threat Intelligence Provider. Creation of a Generic Threat Landscape Report (GTLR) for the financial sector and subsequently a Targeted Threat Intelligence Report (TTIR) specific to the institution. The White Team is established.

Red Team Execution

Testing Phase 3-6 months

Execution of the red team test on live production systems based on the Targeted Threat Intelligence Report. The red team simulates realistic Advanced Persistent Threat (APT) scenarios. Attack vectors are aligned with actual threats facing financial institutions (SWIFT attacks, insider threats, supply chain attacks). Complete documentation of all activities.

Red Teaming Services

Purple Teaming & Final Report

Closure Phase 4-8 weeks

Joint purple teaming session: the red team and the blue team (defenders) jointly analyse attack paths and detection gaps. Creation of the final report with remediation plan. The regulatory validation report is reviewed and approved by the supervisory authority. The attestation certificate enables mutual recognition in other EU member states.

DORA Art. 26

Who Must Conduct TLPT under DORA?

DORA Art. 26 requires "significant" financial entities to conduct TLPT. The supervisory authority designates which institutions must be tested based on systemic relevance. The classification is based on size, interconnectedness, and importance for financial stability.

TLPT Obligation - Systemically Relevant Institutions

Authority-designated - At least every 3 years mandatory

Significant Credit Institutions Systemically important banks (SREP classification)
Central Counterparties (CCPs) Clearing houses under EMIR
Central Securities Depositories (CSDs) Securities settlement under CSDR
Central Securities Registers Core infrastructure of capital markets
Payment Institutions Systemically important payment service providers
E-Money Institutions Large e-money issuers
Insurance Undertakings Insurers with systemic relevance
Reinsurance Undertakings Systemically relevant reinsurers
Investment Firms Significant investment firms under MiFID II
Critical ICT Third-Party Providers Technology service providers for the financial sector

Criteria for Systemic Relevance

Size and total assets of the institution
Interconnectedness with other financial institutions
Importance for financial market infrastructure
ICT risk exposure and third-party dependencies

Mutual Recognition Across the EU

A TLPT conducted under TIBER-EU is mutually recognised across the EU (Art. 26 para. 7 DORA). Institutions with cross-border operations therefore only need to conduct the test once - the attestation certificate is valid for all EU branches.

Voluntary TLPT - Smaller Institutions

Non-systemically relevant institutions can also voluntarily conduct TLPT. This is particularly recommended if the institution is an ICT service provider for systemically relevant entities or is seeking TIBER-EU accreditation.

Is Your Institution Subject to DORA TLPT?

In a free initial consultation, we clarify whether your institution is subject to TLPT, how to select an accredited provider, and how a typical project unfolds.

Schedule Initial Consultation

DORA Art. 27

Requirements for Red Team Providers

DORA Art. 27 defines strict requirements for external Threat Intelligence and Red Team providers. Not every penetration testing provider qualifies for TLPT - the bar is set very high.

Demonstrated Experience

At least three completed red team tests in comparable financial institutions or critical infrastructures. References must be available on request. The supervisory authority can directly verify reference projects.

Recognised Certifications

CREST certification (Council of Registered Ethical Security Testers) or equivalent recognised certification. Team leadership should hold CREST Registered Tester (CRT) or higher. CBEST accreditation (for UK/EBA cross-border tests) is advantageous.

Full Independence

No conflicts of interest with the tested institution: no involvement in ongoing IT operations, no economic entanglement, no knowledge of internal systems from parallel mandates. Independence must be declared in writing.

Adequate Liability Insurance

At least EUR 5 million liability insurance explicitly covering red team tests and penetration tests on production systems. The insurance policy must be presented to the institution before contract award.

Structured Threat Intelligence Team

Dedicated Threat Intelligence team with demonstrable experience in analysing APT groups that target financial institutions. Access to current threat intelligence feeds and sources for the TIBER-EU TTIR is required.

Confidentiality & Data Protection

Strict confidentiality requirements: all test results, vulnerabilities, and system information are subject to the strictest confidentiality. Secure communication channels and data encryption are mandatory. GDPR-compliant data processing must be demonstrated.

Practical Tip: National competent authorities maintain lists of accredited TIBER providers. When selecting a provider, institutions should evaluate not only formal accreditation but also financial sector experience, cultural fit, and project management capacity. AWARE7 supports you in provider selection and the entire TLPT coordination process.

Real Threat Landscape

Why TLPT is Essential for Financial Institutions

Financial institutions are the most heavily targeted sector worldwide. The following incidents show which attack patterns TLPT tests simulate and why regulatory-mandated tests on production systems are absolutely necessary.

2016 Bangladesh Bank - SWIFT

Bangladesh Bank SWIFT Hack

Attackers compromised the SWIFT terminal system of the central bank of Bangladesh and transferred USD 81 million to accounts in the Philippines. The attack used legitimate SWIFT credentials and went undetected for weeks. A TLPT would have uncovered the weak access controls and missing monitoring.

2016 Tesco Bank - Online Banking

Tesco Bank Online Fraud

GBP 2.5 million were debited from approximately 9,000 customer accounts over a single weekend. Attackers exploited vulnerabilities in the payment authorisation and fraud detection system. The UK FCA imposed a fine of GBP 16.4 million - inadequate ICT risk management as the main criticism.

2018 Banco de Chile - SWIFT

Banco de Chile SWIFT Attack

While IT security was occupied with a distraction attack (malware on workstations), the Lazarus group initiated fraudulent SWIFT transactions for USD 10 million. The two-stage attack strategy shows why TLPT simulates realistic multi-stage scenarios.

2023 MOVEit - Supply Chain

MOVEit Supply Chain Attack

The Cl0p group exploited a zero-day vulnerability in MOVEit Transfer and compromised hundreds of financial service providers worldwide. Many institutions did not know for weeks that customer data had been exfiltrated. TLPT tests explicitly examine third-party attack vectors.

Ongoing Supervisory Authorities - IT Reviews

Regulatory IT Reviews: Deficiency Findings

Financial supervisory authorities regularly identify significant deficiencies in access controls, patch management, and incident response during special IT audits. Affected institutions receive deficiency reports with binding implementation deadlines. TLPT serves as proactive proof of resilience.

Continuous APT Groups

State-Sponsored APT Groups

Lazarus (North Korea), APT28/Fancy Bear (Russia), and other state-sponsored groups continuously target European financial institutions. These threats form the basis of the Targeted Threat Intelligence Report in the TIBER process - realistic, specific, current.

Consulting Services

How AWARE7 Helps with TLPT & TIBER-EU

We guide financial institutions from the initial scoping assessment through provider selection to regulatory attestation - with demonstrated red team expertise and experience from regulated financial environments.

Red Teaming & TLPT Preparation

Comprehensive red teaming based on real threat intelligence. Preparation for TIBER-EU-compliant TLPT tests with regulatory accompaniment.

Request Red Teaming

Penetration Testing for the Financial Sector

Specialised penetration tests for banks, insurance companies, and payment institutions - as a precursor to TLPT or as a standalone DORA compliance measure.

Request Pentest

DORA Compliance Consulting

Full DORA consulting beyond TLPT: ICT risk management, third-party management, incident reporting, and resilience testing.

Start DORA Consulting

„TLPT under TIBER-EU is the most demanding form of security testing that exists. Financial institutions that are serious about building resilience cannot avoid regulatory-supervised red team tests on production systems. We prepare institutions for exactly this level.“

Chris Wojzechowski

Penetration Testing & Red Teaming Expert · AWARE7 GmbH

FAQ

Frequently Asked Questions on TLPT & TIBER-EU

The most important questions about TLPT, TIBER-EU, and DORA Art. 26-27 - answered with technical depth and practical guidance.

What is TLPT and how does it differ from a regular penetration test?

TLPT (Threat-Led Penetration Testing) is a high-quality, regulatory-mandated red team test for systemically relevant financial institutions. Unlike a classic penetration test: (1) TLPT is based on real, institution-specific Threat Intelligence Reports - the attacker simulates actual APT groups that would realistically target the institution. (2) TLPT is conducted on live production systems, not test environments. (3) TLPT is supervised by the competent authority - the national supervisory authority accompanies the test and validates the results. (4) TLPT typically takes 6-12 months and is significantly more comprehensive than a typical penetration test.

Who must conduct TLPT under DORA?

DORA Art. 26 requires "significant" financial entities to conduct TLPT. The supervisory authority (national competent authority) determines which institutions are classified as systemically relevant. Generally affected are: systemically important credit institutions (significant institutions under SSM Regulation), central counterparties (CCPs), central securities depositories (CSDs), significant payment institutions and e-money institutions, systemically relevant insurance undertakings, and critical ICT third-party providers. Smaller institutions may voluntarily conduct TLPT or be asked to do so by the authority.

How often must TLPT be conducted?

DORA Art. 26 para. 1 requires at least every three years for a TLPT. The supervisory authority may order shorter intervals if significant security incidents have occurred, material system changes have taken place, or findings from other supervisory measures require it. After a successful TLPT completion, the institution receives an attestation certificate that is mutually recognised in other EU member states (principle of mutual recognition under Art. 26 para. 7 DORA).

What is TIBER-EU and how does it relate to TIBER-DE and DORA TLPT?

TIBER-EU is the overarching European framework of the ECB for Threat Intelligence-Based Ethical Red Teaming. National implementations exist in each member state: TIBER-DE (Germany, Deutsche Bundesbank/BaFin), TIBER-NL (Netherlands), TIBER-BE (Belgium), TIBER-DK (Denmark), and others. DORA Art. 26-27 explicitly refers to TIBER-EU-compatible tests as the established standard. A test conducted under a national TIBER framework fully satisfies DORA TLPT requirements. TIBER tests are cross-jurisdictionally recognised - a test conducted in one EU country under the TIBER framework is valid for branches in other EU countries.

What does a TLPT under TIBER-EU cost?

TLPT tests are considerably more complex than standard penetration tests. Typical cost ranges: Threat Intelligence Report (GTLR + TTIR): EUR 30,000-80,000; Red Team Execution (3-6 months): EUR 150,000-500,000; Purple Teaming and final report: EUR 30,000-80,000. Total project: typically EUR 200,000-650,000. Costs vary significantly depending on institution size, IT landscape complexity, and test scope. For smaller institutions voluntarily conducting TLPT, simplified variants exist.

Can a TLPT damage production systems?

TLPT is explicitly conducted on production systems - this is a regulatory requirement. However, strict protocols exist to prevent production outages: the White Team (internal coordinators) can halt the test at any time if critical systems are at risk. Destructive attacks (data deletion, ransomware deployment, permanent system compromise) are explicitly prohibited. All activities are comprehensively logged. The test is coordinated - the red team knows the escalation paths. After the test, a complete remediation plan is created.

Must the supervisory authority be present during a TLPT?

No, the supervisory authority does not need to be physically present. Its role is: (1) approval of the test scope and TTIR in the Preparation Phase, (2) ongoing notification through the White Team of significant findings, (3) review and validation of the final report, (4) issuance of the regulatory attestation certificate. The institution remains in close contact with the supervisory authority through the White Team throughout the test.

Can an internal red team conduct a TLPT?

Under DORA Art. 27 para. 1, internal red teams may be used under strict conditions: complete organisational separation from ICT operations, approval by the supervisory authority, additional external review of the Threat Intelligence Report and final report, and at least every third test must involve an external provider. In practice, supervisory authorities recommend external providers as independence and objectivity can be better ensured.

What happens after TLPT - what remediation obligations exist?

DORA Art. 26 para. 6 requires a remediation plan after every TLPT addressing all identified vulnerabilities. The plan must: prioritise all critical findings (by CVSS or TIBER classification), contain concrete measures with responsible parties and timelines, be approved by management, and be submitted to the supervisory authority. Implementation of the remediation plan is reviewed at the next supervisory engagement. Unaddressed critical findings may result in supervisory measures.

How does TLPT differ from Red Teaming?

Red teaming is the overarching term for adversarial attack simulations. TLPT is a specific form of red teaming with regulatory characteristics: mandatory threat intelligence basis (TTIR), supervisory authority accompaniment and validation, mandatory testing on production systems, formal closure procedure with regulatory attestation and EU-wide mutual recognition. Classic red teaming without the TIBER-EU framework does not satisfy DORA TLPT requirements.

Aus dem Blog

Alle Artikel

Offensive Security

Schedule a TLPT Initial Consultation for Financial Institutions

In a free 30-minute conversation, we clarify your TLPT obligation under DORA, explain the TIBER-EU process, and outline how a project would unfold at your institution - with timeline and a concrete next step.

Book TLPT Initial Consultation Learn More About DORA

Kostenlos · 30 Minuten · Unverbindlich