Learn
If you’re wondering whether TLPT applies to you, what it costs, who runs it, and how to survive one - this is the guide that answers all of it.
I’ll be honest. When I first read DORA Articles 26 and 27, I assumed threat-led penetration testing would be a niche concern. Something for the big systemically important banks. The kind of thing that affects maybe 50 institutions across the entire EU.
I was wrong.
The designation criteria are broader than most people expect. The cost is higher than most people budget for. And the timeline is tighter than most people realise, because the TIBER-EU framework that DORA’s TLPT is based on wasn’t designed to be rolled out at the scale DORA demands.
This article breaks down everything: who gets designated, what TLPT actually involves, how it connects to TIBER-EU, what it costs, and how to start planning even if you’re not sure you’ll be designated. Because by the time your NCA sends the letter, you won’t have time to start from zero.
Wait, What Even Is TLPT?
Let me back up for a second. There’s a meaningful difference between a standard penetration test and a threat-led penetration test, and most people - including a surprising number of security professionals - conflate them.
A standard penetration test is like a health check. You hire a firm, they scan your systems, they try to break in using known techniques, and they give you a report listing what they found. Valuable? Sure. But it’s a point-in-time exercise based on generic attack scenarios.
A threat-led penetration test is fundamentally different. It starts with a threat intelligence phase where specialists analyse the actual threats facing your specific institution - which threat actors are likely to target you, what their tactics, techniques, and procedures look like, what your specific attack surface is. Then, a separate red team uses that threat intelligence to simulate real-world attacks against your live production systems, without most of your staff knowing it’s happening.
The whole point is realism. A standard pen test tells you “we found these vulnerabilities.” A TLPT tells you “if this specific nation-state APT group decided to target your bank, here’s how they’d get in, how far they’d get, and whether your defenders would notice.”
It’s also far more expensive, far more disruptive, and far more revealing. Which is exactly why DORA mandates it for certain entities.
What DORA Articles 26-27 Actually Require
The legal framework in plain language
Let me translate the regulation into human-readable terms:
Article 26(1): Financial entities “identified by competent authorities” must carry out TLPT at least every three years. Not voluntarily. Not on a best-effort basis. Must.
Article 26(2): The TLPT must cover “several or all critical or important functions” of the financial entity. You can’t just test your marketing website and call it done. The scope must include the systems that actually matter.
Article 26(4): The test must be performed on “live production systems.” Not a test environment. Not a staging copy. The real thing. This is what makes most CISOs nervous - and rightly so, because the risk of disruption during the test is non-trivial.
Article 26(8): If a critical ICT provider is in scope, they must be involved in the TLPT. You can’t just test your own systems and pretend your cloud provider doesn’t exist. This creates coordination challenges with third parties that I’ll discuss later.
Article 27: TLPT testers must meet specific requirements. They must have “the highest suitability and reputability,” possess relevant technical and organisational capabilities, be accredited by a Member State or adhere to professional standards, and carry professional indemnity insurance. You can’t just use your internal security team - though your blue team (defenders) should absolutely be part of the exercise.
Will You Be Designated? The Criteria Nobody Summarises Clearly
DORA doesn’t give you a clean checklist for TLPT designation. Instead, Article 26(11) says that competent authorities shall identify entities based on a “risk-based approach” taking into account:
Impact-related factors: The systemic importance of the financial entity. If your failure would affect the broader financial system, you’re likely in scope. This clearly includes G-SIBs (global systemically important banks), D-SIBs (domestic SIBs), and significant institutions under ECB/SSM direct supervision.
ICT maturity factors: The overall ICT risk profile of the entity. Paradoxically, entities with complex ICT environments and heavy reliance on third-party providers are more likely to be designated, because their attack surface is larger.
Sector-specific factors: The nature, scale, and complexity of the financial services the entity provides. Large payment processors, central counterparties, central securities depositories, and major insurance groups are high on the priority list.
Proportionality: Smaller entities with simpler ICT environments and lower systemic importance are less likely to be designated, but the regulation doesn’t provide a safe harbour. Your NCA decides.
Based on how TIBER-EU was applied before DORA made it mandatory, and based on early NCA communications, here’s my rough estimate of who’s getting designated:
| Entity Type | Likelihood of TLPT Designation | Rationale |
|---|---|---|
| G-SIBs and D-SIBs | Near certain | Systemic importance alone justifies designation |
| ECB/SSM significant institutions | Very likely | Already subject to enhanced supervision |
| Major payment processors | Very likely | Payment infrastructure is critical to financial system |
| CCPs and CSDs | Very likely | Market infrastructure with systemic implications |
| Large insurance groups | Likely | Significant ICT dependency; large customer bases |
| Mid-tier banks (>€30B assets) | Possible | Depends on ICT complexity and NCA judgment |
| Large investment firms | Possible | If classified as significant under MiFID II |
| Smaller banks, EMIs, CASPs | Unlikely | Proportionality principle; standard testing still required |
The TIBER-EU Connection: Why This Matters
DORA Article 26(11) is explicit: TLPT must be carried out “in accordance with the TIBER-EU framework.” This isn’t a suggestion. TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the ECB’s framework for threat-led pen testing in the financial sector, and it becomes the mandatory methodology for DORA TLPT.
If you’re not familiar with TIBER-EU, here’s the short version. The framework defines a three-phase process:
Phase 1: Preparation (4-6 weeks)
Scoping and planning. Define which critical functions are in scope. Engage the threat intelligence (TI) provider. Establish the control team (the small group of people who know the test is happening). Set up communication channels with your NCA, who must be notified.
Phase 2: Testing (8-14 weeks)
This has two sub-phases. First, the threat intelligence provider produces a Targeted Threat Intelligence (TTI) report - a bespoke analysis of the threats specific to your institution. Then, the red team uses that TTI report to design and execute attack scenarios against your live production systems. This is where things get real. The red team will attempt social engineering, phishing, network intrusion, lateral movement, data exfiltration - whatever the threat intelligence says a real attacker would try.
Phase 3: Closure (4-6 weeks)
The red team produces its report. The blue team (your defenders) provides their perspective. A purple teaming workshop brings both sides together to walk through each attack scenario - what happened, what was detected, what was missed, and why. The entity produces a remediation plan. The NCA reviews the results.
Total duration, from kick-off to NCA submission: typically 6-9 months. That’s not a typo. A single TLPT engagement takes the better part of a year when you include preparation and closure.
Let’s Talk Money
Nobody writes about TLPT costs because the numbers are uncomfortable. But you need to know them for budget conversations, so here goes.
A TIBER-EU/DORA TLPT engagement typically costs between €400,000 and €1,200,000, depending on scope, complexity, and the number of critical functions tested. Here’s how that breaks down:
| Component | Typical Cost Range | Notes |
|---|---|---|
| Threat Intelligence Provider | €80K-200K | Bespoke TTI report; more complex for multi-jurisdiction entities |
| Red Team Provider | €250K-700K | 8-14 weeks of active testing; varies with scope and attack complexity |
| Internal Staff Time | €50K-150K | Control team, blue team debriefings, remediation planning |
| Purple Team Workshop + Reporting | €30K-80K | Analysis, joint sessions, NCA-ready documentation |
And remember: DORA says “at least every three years.” So divide that total by three and add it to your annual compliance budget. For a mid-complexity engagement, you’re looking at roughly €200K-400K per year, annualised.
The other hidden cost? The threat intelligence and red team providers are in high demand and limited supply. The market for TIBER-EU-qualified testers wasn’t designed for the volume that DORA creates. If you wait until your designation letter arrives to start looking, you may face a 3-6 month wait just to get on a provider’s schedule.
5 Mistakes I See Firms Making With TLPT Planning
Mistake 1: Confusing TLPT with their annual pen test
A standard vulnerability assessment or network penetration test does not satisfy the TLPT requirement. Not even close. TLPT requires bespoke threat intelligence, testing against live systems, a separate TI provider and red team provider (they must be different organisations), and NCA oversight. Your annual Qualys scan is not this.
Mistake 2: Scoping too narrowly
Some firms try to minimise the TLPT scope by testing only one critical function. The regulation says “several or all critical or important functions.” Your NCA will review and approve the scope, and if they think you’ve excluded important systems to make the test easier, they’ll push back. Start with a comprehensive scoping exercise.
Mistake 3: Not involving critical ICT providers
If your critical banking system runs on a third-party platform, that provider should be part of the TLPT. DORA is explicit about this. But coordinating with a major cloud or SaaS provider for a red team test against their systems? That’s a months-long negotiation. Start that conversation early.
Mistake 4: Treating remediation as optional
The TLPT findings aren’t just an informational report. Your NCA receives the results and expects a remediation plan with timelines. Those remediation actions become supervisory expectations. Ignoring them is, in regulatory terms, “a bad idea.”
Mistake 5: Waiting for designation before preparing
The preparation phase alone takes 4-6 weeks. Finding and contracting qualified providers takes 2-4 months. The test itself runs 8-14 weeks. You’re looking at a 6-9 month total timeline. If your NCA designates you in Q2 2026 and expects a completed TLPT within the three-year cycle, the clock is already ticking. Having a provider shortlisted and a preliminary scope defined before designation saves you critical months.
Not Designated for TLPT? You Still Need to Test.
Here’s the part that often gets overlooked in the TLPT conversation: DORA requires digital operational resilience testing for all financial entities, not just those designated for TLPT.
Articles 24 and 25 set out a general testing programme that every entity must maintain, including:
- Vulnerability assessments and scans
- Open-source analyses
- Network security assessments
- Gap analyses
- Physical security reviews
- Source code reviews where practicable
- Scenario-based testing
- Compatibility testing
- Performance testing
- End-to-end testing
- Penetration testing (standard, not threat-led)
That’s not a menu to pick from. It’s a comprehensive list, applied proportionately. Smaller entities can do simpler versions, but the expectation is that testing is systematic, documented, and leads to remediation.
The reason I emphasise this is that many mid-tier firms are so relieved to not be designated for TLPT that they forget they still have meaningful testing obligations. Your NCA will ask about your testing programme during supervisory assessments, regardless of TLPT designation.
A Practical Planning Timeline
Whether you’ve been designated or think you might be, here’s a realistic timeline for planning your first DORA TLPT:
Month 1-2: Internal readiness assessment. Map your critical functions. Identify which systems support them. Assess whether your blue team has the maturity to meaningfully participate in a TLPT. If your SOC struggles with basic alerting, the purple teaming phase will be painful.
Month 2-3: Provider selection. Start identifying TIBER-EU-qualified threat intelligence and red team providers. Get on their calendars. Remember: the TI provider and red team must be separate organisations. Request proposals from at least two of each.
Month 3-4: NCA engagement. Contact your NCA to discuss TLPT planning. Most NCAs want to be involved from the scoping phase. This isn’t a surprise test - the regulator knows it’s happening. What they don’t know (and shouldn’t know in advance) is the specific attack scenarios the red team will use.
Month 4-6: Threat intelligence phase. The TI provider produces the Targeted Threat Intelligence report. This drives the red team’s test scenarios. Review it carefully - if the TI is generic, the test results will be generic.
Month 6-8: Active testing. The red team executes the attack scenarios against your live systems. Your blue team defends without knowing the specifics. The control team manages the process and ensures safety boundaries are respected.
Month 8-9: Closure and reporting. Purple team workshop. Red team and blue team reports. Remediation plan. NCA submission. Lessons learned.
The Bigger Picture
TLPT under DORA isn’t just a compliance checkbox. It’s the most realistic test of your operational resilience that you’ll ever undergo. When done well, it reveals blind spots that no amount of policy writing or risk assessment can uncover. I’ve seen TIBER-EU exercises expose security gaps that had been invisible for years - not because people weren’t trying, but because you can’t find what you don’t look for.
The cost is significant. The disruption is real. But so is the value, if you approach it as a learning exercise rather than a box-ticking exercise.
And for everything else in your DORA compliance programme - the Register of Information, risk assessments, incident classification, testing documentation, cross-framework mapping - platforms like Venvera can help you manage the broader compliance picture across 13 frameworks, so your team can focus their energy where it matters most: preparing for the tests that actually stress your defences.
Get the Rest of Your DORA Programme Under Control
While you plan your TLPT, Venvera handles the Register of Information, risk assessments, incident classification, xBRL-CSV export, and cross-framework mapping across 13 regulatory frameworks - starting at €399/month.
Book a Demo →Last updated: March 2026. TLPT cost estimates based on market observations and may vary by jurisdiction and provider. Consult your NCA for jurisdiction-specific TLPT guidance.