Your Regulator Is About to Call
DORA has applied since 17 January 2025. The first wave of TLPT designation notifications is rolling out across EU member states. If you're running a bank, insurance company, investment firm, payment institution, or crypto-asset service provider of any systemic significance, a letter from your national competent authority is a question of when, not if.
Most CISOs we talk to have read the regulation. Fewer have a clear picture of what a TLPT engagement actually looks like from the inside, how long it really takes, or what drives the cost.
Article 25 vs. TLPT: Two Very Different Tests
DORA creates two distinct tiers of testing under Chapter IV.
General ICT testing (Article 25) applies to all in-scope financial entities. Over 20 entity types fall under DORA, from credit institutions and payment institutions to central counterparties, trading venues, and critical ICT third-party service providers. Article 25 testing includes vulnerability assessments, network security testing, source code review, scenario-based testing, and penetration testing where appropriate. The regulation says testing must be "proportionate to the risks," which in practice means annual penetration tests at minimum, with more frequent testing for critical systems.
Threat-led penetration testing (Articles 26-27) is the harder requirement. It applies only to entities your competent authority designates, based on systemic importance, ICT maturity, and operational complexity. TLPT simulates real-world attack scenarios developed from current threat intelligence, executed against live production systems. Not staging. Not a lab.
The scope difference between these two obligations is significant. A standard penetration test under Article 25 might take two to six weeks. A full TLPT runs 12 to 18 months.
If You're Not Designated for TLPT
If your competent authority hasn't flagged you for TLPT, your obligation under Article 25 is still real. "Proportionate to risks" doesn't mean a vulnerability scan and a PDF.
Regulators expect risk-based penetration testing covering your critical ICT systems: web applications (customer portals, APIs, trading platforms), network infrastructure (external perimeter and internal, with particular attention to Active Directory), cloud environments, and third-party integrations. DORA's ICT third-party risk management requirements (Articles 28-44) mean the connections to your payment processors, data providers, and critical service providers need scrutiny too.
Before testing starts, knowing your actual external footprint matters. We run continuous attack surface reconnaissance using our own ASM engine to map exposed services, forgotten subdomains, and third-party integrations before a single test begins. That recon feeds directly into scoping, so testing covers what's actually exposed, not just what's documented.
The deliverables should demonstrate clear mapping between what was tested and what DORA requires. "We did a pentest" won't satisfy a regulator asking to see your testing programme. You need to show which critical ICT systems were tested, what threat scenarios were covered, what was found, and how it was remediated.
What a TLPT Engagement Actually Looks Like
DORA's TLPT framework builds on TIBER-EU, the ECB's red teaming framework published in May 2018. Over 100 TIBER tests were conducted across 20+ EU jurisdictions before DORA made the framework legally binding. The key differences: DORA mandates purple teaming (TIBER only "strongly encouraged" it), allows internal testers under conditions, and creates a mutual recognition mechanism across jurisdictions.
Here's how the process runs in practice.
Preparation and Scoping (Up to 6 Months)
After your competent authority issues the designation notification, you stand up a control team: a small group within your organization who will know about the test. Nobody else finds out until it's over.
The control team works with the TLPT authority to define scope. This covers which critical functions to target, which production systems are in play, and what risk management controls protect against operational disruption during testing. The RTS allows up to 6 months from notification to finalized scope specification.
This phase is where most entities underestimate the effort. Scope negotiation with a regulator isn't a quick call.
Threat Intelligence (8-12 Weeks)
A threat intelligence provider produces a targeted report identifying the most relevant adversaries for your specific entity and sub-sector. Which APT groups are active in your space, what initial access vectors they favor, what your specific exposure looks like from the outside.
The TI provider must be external to your organization. The same firm can supply both threat intelligence and red team services, but the staff must be separated and independent. Where you use internal red teamers, the TI provider must come from a different organization entirely.
The output isn't a generic threat landscape briefing. It's the operational blueprint for the red team phase: specific scenarios, specific targets, specific TTPs mapped to your environment.
Active Red Teaming (Minimum 12 Weeks)
The red team executes the scenarios against your live production systems. The RTS sets a minimum of 12 weeks for active testing, though complex engagements run longer depending on the number of scenarios.
During this phase, your SOC, incident response team, helpdesk, and IT infrastructure teams are explicitly kept unaware. The RTS defines these as "blue team tasks" and requires they operate without knowledge of the test. Only the control team knows.
This is where TLPT diverges from anything you've experienced in a standard penetration test. A pentest finding reads "unpatched server, CVE-2024-XXXX." A TLPT finding reads "we moved laterally through payments infrastructure for over a week without detection, reached payment system credentials, and identified gaps in east-west traffic monitoring." The red team operates under realistic adversary constraints over weeks, not days, testing whether your detection and response capabilities actually work, not just whether a specific vulnerability exists.
The control team manages operational risk throughout. If a scenario threatens genuine business disruption, the control team can intervene. The RTS also defines "leg-ups" (Article 1(12)), where the control team provides specific access or information to keep the test moving when an obstacle would stall progress without adding security insight.
Purple Teaming and Closure (~6 Months)
After active testing, the RTS mandates purple teaming within 10 weeks. This is not optional. DORA made purple teaming a mandatory closure requirement, a deliberate upgrade from TIBER-EU.
The purple team phase brings the red team together with your blue team (who now learn, for the first time, that they were being tested). Every attack path is replayed. Detection timelines are examined. The blue team sees exactly where their coverage model failed and works with the red team to write or tune detection rules.
The closure phase produces a summary report and remediation plan that goes to your TLPT authority. Notably, the full red team report does not go to the regulator. They receive a test summary, remediation commitments, and an attestation confirming the test was conducted properly.
Total realistic timeline from notification to attestation: 12 to 18 months.
| Phase | Duration | What happens |
|---|---|---|
| Preparation and scoping | Up to 6 months | Control team formed, scope negotiated with regulator |
| Threat intelligence | 8-12 weeks | Targeted adversary analysis, scenario design |
| Active red teaming | 12+ weeks | Live production testing, blue team unaware |
| Purple teaming and closure | ~6 months | Attack replay, detection tuning, remediation plan, attestation |
What Drives Cost and Timeline
The difference between a standard penetration test and a TLPT programme comes down to scope.
For general ICT testing (Article 25), the variables are straightforward: number of applications, network segments, cloud environments, and the depth of testing required. A web application penetration test might run two weeks. Testing your full external perimeter, internal network, and critical cloud infrastructure might take four to six weeks. Timeline and cost scale with the number of systems and the complexity of your environment.
For TLPT, the cost drivers are different. The engagement spans 12-18 months with specialized providers. Threat intelligence, red teaming, and purple teaming each require distinct expertise. Testing runs against production, which demands careful operational risk management. The number of threat scenarios, the geographic spread of your operations, and whether you use internal or external red teamers all affect the total programme cost.
The honest answer: cost depends entirely on your scope. If you're working against a regulatory deadline or need to move quickly, we can run a scoping session to map your obligations and build a testing plan matched to your timeline. Get in touch to start.
The Internal Tester Question
DORA permits internal red teams for TLPT, a departure from TIBER-EU which required external testers only. But the conditions are strict: supervisory approval, verified resources, no conflicts of interest, external TI provider, and staff with at least 12 months' tenure. Every third TLPT must still use external testers regardless.
Here's the catch most articles skip: institutions large enough to maintain a qualified internal red team are likely significant credit institutions under ECB direct supervision. Those entities must always use external testers under the SSM framework. Meanwhile, smaller institutions that are permitted to use internal teams probably don't have qualified staff who meet the RTS requirements.
The regulation created an option almost nobody can exercise in practice.
What's Still Unclear
DORA left some things open. Two worth flagging:
There's no pass/fail threshold. The attestation confirms the test was conducted properly, not that the entity passed. DORA requires a remediation plan, but there's no defined remediation window and no minimum score. What "good enough" looks like will vary by regulator until practice converges.
Cross-border recognition is untested. The attestation mechanism for mutual recognition across EU jurisdictions exists in the regulation. But with first TLPTs not completing until 2027-2028, nobody has exercised it yet. If you operate in multiple countries, agree recognition conditions with all relevant authorities before testing starts.
Start Before Your Regulator Asks
The regulation is enforceable. Enforcement reviews are underway across member states, with penalties reaching up to 2% of global annual turnover for financial entities.
How strictly different regulators will interpret "proportionate to risks" for Article 25 testing is still an open question. Enforcement will vary across jurisdictions in the early years, particularly for entities operating in multiple EU countries.
That said, the direction is clear.
If you expect TLPT designation: start provider selection now. A 12-18 month engagement timeline means waiting for the notification letter before starting procurement costs you a full year. Build your control team. Identify who in your organization can hold the secret.
If you fall under general ICT testing: review your current penetration testing programme against Article 25 expectations. If your last test was an automated scan with a templated report, it likely doesn't meet the bar.
Either way, the time to act is before your regulator asks to see your testing programme, not after.
Written by Piotr Duszyński