Purple teaming is now mandatory under DORA. What that actually changes.
DORA made purple teaming mandatory where TIBER-EU only encouraged it. The operational shift, the 10-week clock, and why most commercial red team engagements would now fail compliance.
Every red team engagement I have run has ended with the blue team finding out at the debrief. Not a structured replay. Not a collaborative walkthrough of every action taken. A meeting where the red team presents findings, the blue team reacts, and everyone goes home. That model was standard practice for years. Under Commission Delegated Regulation (EU) 2025/1190, it no longer satisfies DORA TLPT requirements.
Purple teaming was encouraged under the pre-2025 TIBER-EU framework. From 8 July 2025, when the TLPT RTS became directly applicable, it became mandatory. The change is not cosmetic. It has material implications for how TLPT engagements are staffed, scoped, and delivered, and it means that most commercial red team engagements, structured the way they currently are, would not produce an output that satisfies a competent authority’s attestation requirements.
What changed between TIBER-EU and DORA
The pre-2025 TIBER-EU framework, developed by the ECB and operated by national central banks from 2019, was the direct predecessor of DORA TLPT. The ESAs designed the TLPT RTS explicitly to distil TIBER-EU’s mandatory elements into binding regulation, while adding requirements that TIBER-EU had left to best practice or NCA discretion.
The delta on purple teaming is the most operationally significant change in the transition:
| Feature | Pre-2025 TIBER-EU | DORA TLPT (RTS 2025/1190) |
|---|---|---|
| Purple teaming | Encouraged, not mandatory | Mandatory; precondition for attestation |
| Timing requirement | No binding deadline | Must occur within 10 weeks of red team phase completing |
| CIA triad coverage | Not explicitly required | Scenarios must address Confidentiality, Integrity, Availability |
| Delivery timelines | Guidance-based | Codified in binding RTS |
The ECB published updated purple teaming guidance in January 2025, aligning the TIBER-EU framework with what the RTS was about to require. The guidance makes clear that the structured collaborative replay is not a debrief and not a lessons-learned session. It is a formal, structured phase of the engagement with its own deliverable requirements.
What purple teaming under DORA actually involves
The mechanics are specified in the RTS and elaborated in the ECB guidance. Once the active red team phase ends, the process works as follows:
The Control Team informs the Blue Team that a TLPT has been taking place. This is the first moment the Blue Team knows. Their reactions during the active phase, every alert that fired and every one that did not, every incident response action taken and every one missed, are now the data set for the collaborative replay.
The red team and blue team then work together, with the Control Team presiding, through every significant action the red team took during the active phase. The red team explains each technique: the tools used, the timing, how they attempted to avoid detection, what they were targeting at each stage, and what they achieved. The blue team maps each action against their detection record: did the SIEM fire? Did anyone investigate? What was the outcome?
The output of this replay is a joint understanding of:
- Which controls operated as designed and detected the action
- Which controls should have fired but did not
- Which actions were taken in a way that evaded controls that would have detected a less skilled operator
- Which entire attack stages went undetected throughout the 12-week active phase
The 10-week window for completing this exercise, measured from the end of the red team phase, is a binding requirement. It is not a target. The report that feeds the competent authority’s attestation review cannot be completed without the purple team outputs.
Why this is different from a traditional debrief
The distinction matters for procurement and for understanding what a TLPT delivery actually costs.
A traditional red team debrief is structured around findings: here is what we found, here is how we got there, here is a severity rating. The blue team receives the report. They then work out, independently, which of those findings their controls should have caught.
A DORA purple team is structured around detection gaps: we took this action at this time, using this technique. Your SIEM should have generated this alert. Did it? If not, why not? If it did, was it investigated? Why was it dismissed?
This requires the red team to have maintained granular logs throughout the 12-week active phase: timestamped actions, the specific tools and techniques used, the credential sets exploited, the lateral movement steps taken. It requires the blue team to bring their full detection logs for the same period. The replay maps one against the other.
For a 12-week engagement against a complex institution with multiple critical functions, that data set is substantial. The purple team exercise is not a half-day workshop. It is a structured, multi-session process that requires preparation from both sides.
The reason most commercial red team engagements would fail to satisfy this requirement is straightforward: they are not designed to generate the red team logging granularity required for a structured replay, and they do not include a structured collaborative phase in their delivery model. Report-and-leave is the standard commercial model. DORA requires something materially different.
The capability transfer that justifies the mandatory status
The regulatory rationale for making purple teaming mandatory is not bureaucratic. It is about whether the institution actually improves its defensive capability as a result of the test.
A red team report describes what happened. It is a point-in-time record of vulnerabilities, misconfigurations, and detection gaps. The institution reads it, prioritises the findings, and creates a remediation plan. Some percentage of those findings get remediated within the agreed timeline. The institution is somewhat more resilient than before. That is not nothing.
A structured purple team replay does something different. The Blue Team does not just receive a description of what the red team did. They sit through a technical reconstruction, step by step, of how a skilled adversary moved through their environment over three months. They see exactly where the gaps were. They understand why their SIEM did not fire on a specific technique. They learn the attacker’s perspective on their own infrastructure.
The remediation that comes out of this process is more targeted, better prioritised, and more likely to address the actual detection gaps than remediation driven by a report alone. This is what the ESAs were trying to codify when they made the structured replay mandatory.
For significant institutions under SSM supervision, the ECB SSM Supervisory Guide (November 2025) sets out the ECB’s specific expectations for purple teaming as part of the TLPT process. It is worth reading alongside the RTS.
Operational implications for how you staff and procure
The mandatory purple team requirement has direct implications for how the engagement is structured from the start, not just at the end.
Red team logging discipline. The red team must maintain timestamped, action-level logs throughout the active phase. This is not optional and cannot be reconstructed after the fact. The provider needs to demonstrate, before engagement start, what their logging infrastructure looks like and how they handle the data through to the purple team session and subsequent destruction.
Blue team readiness. The Blue Team does not know a test is running during the active phase. But your TLPT programme lead needs to ensure that the Blue Team’s detection tooling and log retention are adequate to support the replay. If your SIEM retains data for 30 days and your active phase runs 12 weeks, you have a problem that needs to be addressed in the scoping phase.
Control Team authority. The Control Team Lead manages the transition from the active phase to the purple team session. This includes the decision about when and how to inform the Blue Team, coordinating the practical logistics of the joint sessions, and ensuring both providers remain available within the 10-week window. At large institutions, senior personnel availability within a specific 10-week window requires forward planning.
Provider selection. Not all red team providers have delivered purple teaming at the depth the RTS requires. When evaluating providers under Article 27, ask specifically about how they have run purple team sessions on prior TIBER-EU or CBEST engagements, what their logging infrastructure looks like, and what structured replay outputs they have delivered for previous clients. The difference between a provider who has done this and one who is proposing to do it for the first time is significant.
What the attestation requires
The competent authority will not issue an attestation unless the purple team phase has been completed and its outputs feed the summary findings and remediation plan submitted for review. The TLPT RTS makes this explicit. Purple teaming is not a recommended enhancement to the TLPT process. It is a precondition for the regulatory endpoint.
If your engagement delivers a red team report but no structured collaborative replay, you do not have a DORA TLPT result. You have a sophisticated penetration test. The competent authority will not accept it as satisfying the Article 26 obligation.
For the full breakdown of how purple teaming fits into the seven-phase TLPT engagement structure, see the DORA TLPT Article 26 deep-dive.
