You received a DORA TLPT notification letter. The next 90 days matter most.

The notification letter from your competent authority is not the start of a conversation. It is the start of a regulated clock. When it lands, two hard deadlines are now running simultaneously: 3 months to submit your initiation documents, and 6 months to submit your Scope Specification Document. Miss either one, and you are in a supervisory conversation you do not want to have.

Most institutions that have received TLPT notification letters in 2025 and 2026 have made the same set of early mistakes: treating the letter as a heads-up rather than a trigger, assembling a Control Team too slowly, and underestimating how long provider procurement actually takes when you are looking for two independent, Article 27-compliant providers with demonstrable TIBER-EU experience. This post is about what to do instead.

Not sure your entity is on track for a notification letter? Run the free 60-second scope check before reading on.

---

What the notification letter actually triggers

Under Article 26 of Regulation (EU) 2022/2554 and the requirements codified in Commission Delegated Regulation (EU) 2025/1190 (the TLPT RTS), the notification letter formally designates your entity for TLPT. From receipt:

• T+3 months: Initiation documents must be submitted to your competent authority. These cover your high-level project plan, the identity and authority of your Control Team Lead, and communication protocols between the entity and the TLPT Cyber Team at the NCA.
• T+6 months: Your Scope Specification Document (SSD) must be submitted and approved. The SSD defines which Critical or Important Functions are in scope, the underlying ICT systems supporting those functions, the objectives (flags) the red team will attempt to achieve, and whether any ICT third-party providers will be included.

Both deadlines are regulatory obligations, not internal project milestones. Missing them without an agreed extension creates a supervisory record you will need to explain.

---

The first 30 days: Control Team assembly

The most important decision in the first month is who your Control Team Lead will be and who will sit on the Control Team alongside them.

The Control Team is the small, senior group within your institution who know the test is happening. They manage the process, interface with providers and the regulator, and maintain test confidentiality from the rest of the organisation, including your Blue Team and SOC. The Control Team Lead must have sufficient organisational authority to make decisions across IT, Legal, Procurement, and senior management without escalating for every approval.

The ECB Control Team Guidance (January 2025) is the reference document for this role. Read it before you appoint anyone. The role is not a coordination position. It requires genuine authority, genuine discretion, and the ability to manage an active engagement without briefing stakeholders who should not be briefed.

Common errors in this phase:

• Appointing a Control Team Lead who is too junior to authorise test actions against live production systems
• Assembling a Control Team that is too large (information security is harder to maintain across 10 people than across 3)
• Including the Head of the SOC or the CISO in a role where they would need to know the test is running (which would compromise Blue Team integrity)

The right structure is typically: a senior programme or risk executive as Control Team Lead, with representation from Legal and a single senior IT or architecture contact who can answer technical questions without the rest of the team knowing why they are being asked.

---

Days 30 to 60: Procurement signals and provider timing

TLPT engagements run for 12 to 18 months from initiation. Provider capacity is limited. The time between deciding to go to market and having a contracted, NCA-cleared provider in place is longer than most procurement teams expect.

Your two procurement streams are independent:

Threat Intelligence provider: Must always be external under Article 27, with no exceptions. No internal team, no waiver, no workaround. The TTI provider produces the Targeted Threat Intelligence report that drives scenario design. They must demonstrate relevant financial sector expertise and prior TLPT-related delivery experience. Critically, they must be independent of your red team provider. If both are from the same organisation, the RTS requires staff-level separation between the two functions.

Red Team provider: Must meet Article 27 criteria including accreditation or certification by a national body (CREST accreditation is widely used and recognised), professional indemnity insurance, and verified independence from your institution. If you are an SSM significant credit institution (directly supervised by the ECB), you must use an external red team. There is no internal option.

The procurement process for two independent providers, including your NCA’s verification of absence of conflicts of interest, typically takes two to three months from issuing an RFP to signed contracts. Starting this process in month two of your T+6 window is not early. Starting it in month four is too late.

Do not approach your existing MSSP, your external auditor, or your existing pen test panel first. Not because they cannot do it in principle, but because the independence requirement means they likely cannot do it without conflict. Work through your NCA guidance on qualified providers, or consult the ECB Service Provider Procurement Guidance (January 2025) as a reference framework.

---

Days 60 to 90: Scoping the SSD

The Scope Specification Document is the deliverable that most programme managers underestimate. It is not a scope statement for a pen test. It is a regulatory document that defines: which Critical or Important Functions (CIFs) are in scope; the underlying ICT systems, infrastructure, and third-party services supporting those CIFs; the flags (specific objectives the red team must attempt to reach); and any third-party provider participation.

Identifying your CIFs is the hard part. Article 3(22) of DORA defines a critical or important function as one whose failure would materially impair the entity’s financial performance, soundness, continuation of operations, or regulatory compliance. In practice, this means core banking or payment processing, trading and clearing systems, customer-facing digital channels generating material revenue, and any function whose interruption would trigger a DORA major incident.

You cannot self-certify scope. The SSD must be validated by your competent authority before the threat intelligence and red team phases begin. If your competent authority challenges your CIF selection, you need time to revise and resubmit. Build that contingency into your T+6 timeline.

Common SSD scoping errors:

• Scoping too narrowly to avoid operational disruption risk (the NCA will challenge this)
• Including systems that are technically in scope but where third-party participation would require six months of legal negotiation with a hyperscaler that is not set up for TLPT
• Failing to document ICT third-party dependencies at the level of granularity the RTS requires

The ECB Scope Specification Document Guidance (January 2025) walks through the SSD structure in detail. Use it. Your competent authority will be comparing your submission against it.

---

What good looks like at T+6 months

By the six-month mark, a programme that is on track should have:

• Control Team appointed, authority documented, and NCA communication channels established
• Both TI and red team providers contracted and NCA-cleared for conflicts of interest
• SSD drafted, internally reviewed, and submitted for NCA approval
• A realistic timeline to attestation mapped, with the 17 January 2028 first-cycle deadline as the anchor

The entities that will struggle in 2027 are the ones that treated the T+6 deadline as the finish line. It is not. It is the end of the preparation phase. The 12-week minimum active test window, followed by a 10-week purple team period, followed by reporting and attestation, all sits after that.

If you have just received a notification letter and the T+6 clock is already running, the practical question is not “do we have time” but “how tightly do we need to run this programme.” For most institutions, the answer is: tighter than your normal governance cadence allows.

For the full engagement phase breakdown and preparation checklist, see the DORA TLPT timeline page.