Choosing a DORA TLPT provider: what Article 27 requires (and what it does not say)

The TLPT provider market has a noise problem. Since DORA became directly applicable in January 2025, a significant number of firms that have never run a TIBER-EU or CBEST test have added “DORA TLPT” to their service pages. Some of them have no prior financial sector red team delivery experience. Some have the right accreditations on paper but not the right personnel in practice. Some will tell you that their existing pen test capability satisfies Article 27. It does not.

Article 27 of Regulation (EU) 2022/2554 sets five criteria that TLPT providers must meet. Understanding what each criterion actually requires, and where the regulation leaves gaps that NCA guidance and procurement practice must fill, is the work. Here is how to read it.

---

The five Article 27 criteria

Article 27 requires that financial entities use only testers who satisfy all of the following:

Criterion (a): Highest suitability and reputability. This is the most interpretive criterion in the article. The regulation does not define “highest suitability.” In practice, this is assessed by your competent authority when they verify the absence of conflicts of interest. What it signals in procurement is that Article 27 is not met simply by holding the right certifications. The NCA will look at the actual personnel assigned to your test, their individual experience, and the firm’s track record with comparable institutions. A firm with CREST accreditation but no prior financial sector delivery experience, and personnel who have never run a multi-phase TIBER-style engagement, will struggle against this criterion even if no one explicitly tells them so until the NCA verification stage.

Criterion (b): Specific expertise in threat intelligence, penetration testing, and red team testing. The regulation names all three disciplines explicitly. This matters because threat intelligence expertise and red team expertise are different skill sets, and firms that are strong in one are not automatically strong in the other. The ESA Joint Final Report JC 2024-29 provides additional context on what the ESAs considered when drafting this requirement: depth of financial sector-specific knowledge, understanding of the regulatory framework, and evidence of having delivered comparable exercises.

Criterion (c): Certification by an accreditation body or adherence to formal codes of conduct. The regulation does not name CREST or any other body. It requires certification by “an accreditation body in a Member State” or adherence to “formal codes of conduct or ethical frameworks verified by a national body.” CREST is the most widely used route to meeting this criterion, and CREST-accredited firms that hold CBEST, TIBER, or equivalent national approvals are well-positioned. But CREST accreditation is not the only qualifying path, and holding CREST accreditation at the organisational level does not automatically mean the specific personnel on your test hold the individual CREST certifications relevant to TLPT delivery. Check both.

Criterion (d): Independent assurance or an audit report on sound management of TLPT-related risks. This includes protection of your institution’s confidential information. The full technical red team report contains live vulnerability detail, attack paths, and architecture weaknesses. The provider must demonstrate documented procedures for how that material is generated, stored, aggregated, communicated, and destroyed. In procurement terms: ask for the firm’s documented information handling procedures for TLPT deliverables, and check that they are consistent with the confidentiality requirements in Article 26(7).

Criterion (e): Full professional indemnity insurance including for misconduct and negligence. The regulation specifies coverage “including for misconduct and negligence.” This is not a standard PI insurance clause. The level and structure of cover required for a TLPT engagement against live production systems at a systemically important institution is materially different from a standard pen test PI policy. Ask for the actual policy, not a summary. Check that the limits are appropriate to the engagement scope.

---

The rule that has no exceptions: threat intelligence is always external

Regardless of whether your entity uses an internal or external red team, the threat intelligence provider must always be external. Article 27 is clear on this, and Commission Delegated Regulation (EU) 2025/1190 reinforces it. There is no internal option for the TTI function, no matter the size of your institution, no matter the maturity of your internal threat intelligence capability.

The rationale is straightforward: the TTI report must reflect an independent, current assessment of the external threat landscape. An internal team produces an assessment shaped by what the institution already knows and by the institutional filters that apply to any internal function. An external provider sees the broader threat intelligence picture, including information from sources your institution does not have access to, and produces an assessment that is harder to inadvertently bias toward what the institution wants to hear.

---

The 2-in-3 rule and its real limits

Subject to conditions in Commission Delegated Regulation (EU) 2025/1190, financial entities that are not SSM significant credit institutions may use internal red team testers for TLPT, but only for two consecutive cycles. The third must use an external provider. This is the 2-in-3 rule.

The rule exists as written. But there are practical constraints that often make the internal option less attractive than it appears:

First, internal testers must meet the same capability requirements as external testers under Article 27. The competent authority verifies this and checks for conflicts of interest. An internal red team that has primarily run internal assessments against the institution’s own environment, without the breadth of exposure that comes from operating across multiple financial institutions, will face scrutiny on criterion (b).

Second, the separation requirement between the TI and RT functions means that your internal red team cannot contribute to the TTI report even informally. The intelligence that drives scenario design must come entirely from the external TI provider. In practice, this limits the advantage of having an internal team, because the scenario design they receive is the same one an external team would receive.

Third, for SSM significant credit institutions, there is no choice. External red team is mandatory in every cycle. No exceptions.

---

What “TIBER-EU accredited” actually means

Some provider marketing uses “TIBER-EU accredited” as a credential. The phrase requires unpacking. TIBER-EU is an ECB-managed framework; NCAs that operate national TIBER implementations maintain their own approved provider lists. Being on the DNB TIBER-NL list, or the Banco de Portugal TIBER-PT list, means the NCA has assessed that provider as qualified to deliver TIBER tests within that jurisdiction. It is a meaningful signal.

But national TIBER lists are jurisdiction-specific. A provider approved under TIBER-NL is not automatically approved by BaFin or the CBI. For cross-border engagements, check each relevant NCA’s guidance. There is no single EU-wide list of DORA TLPT-approved providers, and DORA does not create one. The ECB SSM Supervisory Guide (November 2025) provides ECB-specific guidance for SSM significant institutions.

---

Five procurement mistakes to avoid

1. Treating the TI and RT procurement as a single vendor decision. The independence requirement means they must be separate. Even if a single firm offers both functions, the RTS requires staff-level separation between the TTI and red team roles. Single-firm procurement increases the coordination surface for conflicts of interest and gives the NCA more to examine at verification.

2. Sole-sourcing to your existing audit firm or MSSP. Independence from the institution is a hard requirement. If your MSSP already monitors your environment, they know your architecture. A red team with that knowledge base is not operating covertly.

3. Evaluating TLPT capability against pen test criteria. Scope, cost, duration, and methodology are all different categories. A proposal that looks well-structured for a standard pen test may be fundamentally unsuited to TLPT delivery. Ask specifically about prior TIBER-EU or CBEST delivery, the specific individuals who would be assigned, and how they would approach the TTI-to-scenario translation phase.

4. Not checking PI insurance specifics. Standard cybersecurity PI policies often exclude or limit coverage for tests on live production systems or for incidents arising from authorised testing. For an engagement that runs 12 active weeks against your payment systems, the policy exclusions matter.

5. Deferring NCA verification. Article 27 requires the competent authority to verify “sufficient dedicated resources and the absence of conflicts of interest” for your chosen providers. That verification takes time. Starting procurement late and then running the NCA verification in parallel with the engagement start is not operationally feasible.

---

What to actually look for

The signal I trust most when evaluating a red team provider’s TLPT credibility is the personnel record, not the company credential. Who specifically will lead the red team on this engagement? What financial sector TIBER or CBEST tests have they personally delivered, in what role, and at what type of institution? The TLPT RTS requires 12 weeks of active testing against your live production environment. The quality of that testing depends entirely on the specific individuals in the room.

A firm’s CREST organisational accreditation, held at the company level, tells you that the organisation has met baseline standards at some point. It does not tell you whether the team assigned to your engagement has the depth of financial sector tradecraft that a TLPT requires.

See the full Article 27 provider requirements breakdown and the broader DORA TLPT deep-dive for the regulatory context.