The EU TLPT provider market is tight. What that means for your 2028 deadline.
A limited number of TIBER and DORA-accredited red team and threat intelligence providers face concentrated demand into 2027. What designated entities should do about it now.
The 17 January 2028 deadline for completing the first DORA TLPT cycle is not far away. It sounds like it is. A full engagement from notification to attestation takes 12 to 18 months. Provider capacity across the EU is limited. The number of designated entities is not small. The supply and demand math is not comfortable, and the entities that have not started procurement by Q3 2026 will be competing for provider slots in 2027 that may already be taken.
This post is not a scare piece. It is an accurate read of a real constraint, and it has a practical implication for when you start moving.
Not sure whether you sit inside the designated population this scarcity affects? Run the free 60-second scope check before reading on.
The deadline and the math
Article 26(1) of Regulation (EU) 2022/2554 requires designated entities to complete TLPT “at least every three years.” The regulation became directly applicable on 17 January 2025. For most entities designated in 2025 or early 2026, the first TLPT cycle must be completed by 17 January 2028.
That is the regulatory anchor. The operational reality sits against it.
A full TLPT engagement runs 12 to 18 months from initiation. For a complex institution with multiple Critical or Important Functions in scope, third-party cloud providers requiring contractual participation arrangements, and a large geographic footprint, 18 months is the realistic estimate, not a conservative one. For a smaller institution with a more contained scope, 12 months is achievable, but the phases still need to be sequenced correctly.
The entities in scope for TLPT include Global Systemically Important Institutions (G-SIIs), Other Systemically Important Institutions (O-SIIs), SSM significant credit institutions, large payment institutions, and other entities designated at NCA discretion. Across the EU, we are talking about a population in the hundreds. The TLPT RTS, Commission Delegated Regulation (EU) 2025/1190, became directly applicable on 8 July 2025. Designation notifications have been flowing through 2025 and 2026.
The provider supply constraint
The number of red team providers who have delivered financial sector TIBER-EU or CBEST tests, hold the relevant accreditations, and have the personnel depth to run a 12-week minimum active engagement against a systemically important institution’s live production environment is not large. This is not a criticism of the market. It reflects the fact that delivering a DORA TLPT to the standard the RTS requires is a specialised discipline, and the pool of practitioners with that specific background takes years to develop.
On the threat intelligence side, the constraint is similar. The TTI provider must always be external under Article 27. The relevant qualification requires genuine financial sector threat intelligence expertise, not generic CTI capability. The TTI providers with established TIBER-EU track records are a known, relatively small population.
The ESA Joint Final Report JC 2024-29 acknowledged provider market constraints during the consultation process. The ECB Service Provider Procurement Guidance (January 2025) recommends early procurement engagement. This is the regulators acknowledging the constraint in their own guidance.
As of mid-2026, providers with strong TIBER-EU delivery records are carrying forward bookings. Some are booked into 2027. The entities that will find themselves without a contracted provider in Q4 2026 are the ones that assumed provider capacity was not a planning variable.
What early planning actually gets you
Starting the procurement process now, rather than in Q4 2026, is not about being administratively ahead. It is about three concrete advantages.
Provider choice. The earlier you go to market, the broader the field of qualified providers still available. By Q4 2027, some entities will be choosing between whoever is available and whoever they need. Those are not the same.
NCA verification timeline. Under Article 27, your competent authority must verify the absence of conflicts of interest for both your red team and threat intelligence providers before testing begins. That verification is not instant. Building a procurement timeline that assumes you can issue an RFP, select providers, negotiate contracts, and complete NCA verification within six weeks is not realistic. NCAs are managing this verification process across a large number of designated entities simultaneously.
Scoping quality. Entities that start their TLPT planning early have more time to get their Scope Specification Document right on the first submission to the NCA. Entities that are scrambling against the 17 January 2028 deadline are more likely to submit an SSD that the NCA challenges, which creates delay and, in extreme cases, forces a compressed engagement timeline that increases operational risk.
What not to do
Do not sole-source to your existing auditor or MSSP. The independence requirement in Article 27 is a hard constraint. If your MSSP already monitors your production environment, they have architecture knowledge that disqualifies them from the red team role. If your external auditor is already providing assurance on your ICT risk framework, the independence question is complicated enough that the NCA will examine it carefully. Starting procurement with the assumption that your existing supply chain will solve the problem is the most common planning error in this market right now.
Do not treat Q2 2027 as your planning start date. Providers contracted in Q2 2027 for a Q3 2027 engagement start will not complete a 12-week active test plus 10-week purple team phase plus reporting by January 2028. The arithmetic does not work without compressing phases in ways the RTS does not permit.
Do not conflate your Article 25 pen test programme with Article 26 TLPT. Article 25 of DORA basic testing obligations apply to all in-scope entities. They are separate from TLPT. The providers and the methodology are different categories. Assuming your existing pen test panel is your TLPT provider pool will lead you to the wrong procurement outcome.
Do not defer pending a clearer NCA picture. Your NCA is your TLPT authority under Article 26(9). They will guide you on designation criteria, SSD requirements, and provider verification. But waiting for your NCA to come to you is not a substitute for initiating the process. The regulatory clock runs from your notification letter, and your NCA’s capacity to guide you is also constrained by the number of entities they are managing simultaneously.
What the 2028 window looks like for the market overall
The concentration of first-cycle TLPT completion deadlines in the January 2028 window is a system-level constraint, not just an individual planning problem. If the majority of designated entities attempt to complete their first TLPT in the second half of 2027, the provider market, the NCA verification process, and the competent authority attestation pipeline are all under simultaneous pressure.
Regulators have noted this. The practical supervisory response will likely be pragmatic, recognising that entities who engaged in good faith with the process, documented their procurement efforts, and encountered genuine provider availability constraints are in a different position from entities that simply deferred. But relying on supervisory pragmatism is not a programme strategy.
The entities that will be in a demonstrably better position are the ones that started early, documented their procurement process, and have a credible timeline to attestation on record with their NCA before the 2027 crunch period.
The planning threshold to hold
If you have received a TLPT notification letter: procurement for both providers should be initiated within the first two months of receipt. The T+6 SSD deadline is fixed. Provider procurement, NCA verification, and SSD preparation run in parallel. None of them has enough slack to absorb a delayed start.
If you have not yet received a notification letter but your entity profile suggests designation is likely (G-SII, O-SII, SSM significant institution, or large payment institution): begin provider market research and internal programme design now. The notification letter, when it arrives, will not give you more time than you would have taken to prepare.
For the full 12-step TLPT preparation checklist and phase timeline, see the DORA TLPT timeline page.
