DORA TLPT: questions and answers.

If your entity is authorised and regulated as a financial entity within the EU in any of the 21 categories listed in Article 2(1) of DORA, you are in scope. There is no general revenue or headcount threshold; boutique investment firms and global systemically important banks are both bound by the same regulation. Limited exemptions apply to specific small entities under Article 2(3). Your national competent authority is the definitive source for your specific entity type. Run the 60-second scope check →

TLPT (Article 26) does not apply to all DORA-regulated entities. It applies to a designated subset identified by the competent authority based on systemic importance, ICT risk profile and financial stability considerations. Basic testing (Article 25) applies to all in-scope entities. Entities with the profile of G-SIIs, O-SIIs, SSM significant institutions, or large payment / e-money institutions should assume they are likely to be designated. Run the 60-second scope check →

Only with explicit NCA confirmation, and only if your test meets the current RTS. The DORA TLPT RTS introduced several changes from the pre-2025 TIBER-EU framework: purple teaming became mandatory where it was previously only encouraged; scenarios must now address the full CIA triad (Confidentiality, Integrity, Availability); the function scope term moved from "Critical Function" to "Critical or Important Function" per Article 3(22); and delivery timelines that were guidance-based are now RTS obligations. A pre-2025 TIBER-EU test will not automatically satisfy DORA TLPT by adding a purple team exercise after the fact. Take the question to your NCA directly with your prior test documentation.

No. CBEST is a UK framework operated by the PRA and FCA. DORA mutual recognition applies only among EU competent authorities. A CBEST attestation does not automatically satisfy an EU NCA's DORA TLPT requirement. Entities operating in both the UK and EU may need to maintain parallel testing programmes. No bilateral UK-EU recognition arrangement had been identified in primary sources as of June 2026. Verify with your EU NCA.

Article 3(22) defines a critical or important function as one whose failure would materially impair the entity's financial performance, soundness, continuation of operations, or regulatory compliance. In practice this typically includes core banking and payment processing, trading and clearing systems, customer-facing digital channels that generate material revenue, and any function whose interruption would trigger a DORA major incident. Scope must be documented in a Scope Specification Document validated by the competent authority; self-certification without NCA sign-off is not sufficient.

Yes, and depending on your scope, you may be required to. Article 26(2) explicitly requires entities to identify ICT systems supporting critical or important functions, including those outsourced or contracted to ICT third-party providers. Where a hyperscale cloud provider supports shared infrastructure, Article 26(4) permits a pooled TLPT covering the relevant ICT services for multiple participating financial entities. Article 30 also requires DORA-compliant contracts to oblige third-party providers to cooperate in TLPT.

Purple teaming is a mandatory structured exercise conducted within 10 weeks of the red team phase ending. The red team and Blue Team work together, with the Control Team presiding, to replay every significant action taken during the attack: every detection that fired, every detection that did not, every control that held or failed. The exercise produces a joint analysis of defensive gaps and feeds the prioritised remediation plan. Under Commission Delegated Regulation (EU) 2025/1190 it is a precondition for attestation.

Article 27 sets the criteria: highest suitability and reputability; demonstrable expertise in threat intelligence, penetration testing and red team testing; certification or accreditation by a Member State body (CREST is widely recognised); professional indemnity insurance covering misconduct and negligence; and absence of conflicts of interest. The threat intelligence provider must always be external; the red team provider may sometimes be internal (see the 2-in-3 rule below) but not for SSM significant credit institutions, which must always use external testers.

For most designated entities, yes: for up to two consecutive cycles. The third must use an external provider (the "2-in-3 rule"). The threat intelligence provider must always be external, even when the red team is internal. SSM significant credit institutions (those classified as significant under Article 6(4) of Regulation (EU) No 1024/2013) must always use external testers; there is no internal option.

There is no published tariff, and pricing varies with scope breadth, the number of critical or important functions in play, and third-party participation. The cost drivers are structural: an external threat intelligence provider (always required), a red team engaged for a minimum of 12 weeks of active testing plus scenario development, mandatory purple teaming, and the entity's own Control Team and programme-management effort across 12 to 18 months. Budget for a multiple of a standard penetration test, not an increment on one, and expect provider scarcity to keep pricing firm. Procuring early in your cycle gives you more pricing leverage than procuring against the attestation deadline.

Testing on live production systems is mandatory, so risk management around it is built into the framework rather than left to chance. The Scope Specification Document must address the risk management measures for the test. Article 27 requires testers to provide independent assurance that TLPT risks are soundly managed and to carry professional indemnity insurance covering misconduct and negligence. Operationally, the Control Team holds defined escalation and pause procedures throughout the active phase, and the updated TIBER-EU guidance is explicit that testing must be conducted in a controlled and safe manner. If an action risks material disruption, the Control Team can require the red team to stop, de-conflict, or take an agreed alternative path. A genuine operational incident during a test is handled through the entity's normal incident process, with the Control Team de-conflicting so the response is not confused with the simulated attack.

The TLPT Cyber Team (TCT) within the competent authority is present throughout. They validate the scope, review initiation documents, approve the Scope Specification Document, and oversee the test. The TCT does not run the test; the entity's Control Team does. The TCT reviews summary findings and the remediation plan before issuing the formal attestation. Under the RTS, the TCT must have at least two qualified staff assigned to each test.

TLPT is an operational resilience exercise, not a compliance pass/fail. All findings, including fully achieved flags, feed the prioritised remediation plan. Unresolved critical findings may trigger supervisory dialogue or follow-up requirements. Failure to remediate known critical vulnerabilities after they have been identified in a TLPT is a more serious supervisory concern than the findings themselves.

Submitted to the competent authority under Article 26(7): a summary of findings, the remediation plan, and documentation evidencing DORA-compliant execution. Retained by the entity: the full technical red team report, attack-path detail, and specific system weaknesses. The full report is not published or shared with peer institutions. Within the entity, access to the full report is typically limited to the Control Team, senior management, and the Audit/Risk Committee on a need-to-know basis.

Not necessarily. Article 26(5) provides for a group-level TLPT to satisfy the obligation for multiple group entities, subject to conditions set by the relevant competent authorities. In practice this requires coordination across all NCAs supervising group entities. Begin those discussions with each NCA before scoping the group test; requirements on what each subsidiary's critical functions must include can differ across jurisdictions.

Commission Delegated Regulation (EU) 2025/1190 specifies that the active red team testing phase must last at least 12 weeks.

A standard penetration test typically follows a predefined scope, uses generic attack techniques, and is conducted without regard to which actual threat actors target the entity. TLPT begins with real threat intelligence specific to the entity, uses the TTPs of genuine adversaries relevant to the sector and threat profile, operates covertly on live production systems, runs for a minimum of 12 weeks of active testing, and concludes with mandatory purple teaming. It is significantly more complex, more costly, and more operationally demanding than a standard penetration test.

Article 50 of DORA defers to Member State law for the level of administrative penalties: it requires national legislators to put appropriate, dissuasive, and proportionate penalties in place, but does not itself set a single EU-wide cap. The result is significant divergence: turnover-based ceilings range from 5% (Spain) to 10% (Sweden) of total annual worldwide turnover; absolute ceilings range from EUR 2 million (Czech Republic) to EUR 20 million (Italy). Several Member States including Germany and the Netherlands differentiate between intentional and negligent breaches. Beyond financial penalties, NCAs may issue public censure, withdraw authorisations, or impose activity restrictions. The Member State in which the breach occurs is a material factor; consult your competent authority for the specific regime.

Findings from a TLPT must be classified by severity and captured in the ICT risk register as identified risks. The remediation plan submitted under Article 26(7) must specify an owner, priority level, and target date for each finding. Unresolved critical findings are treated as known, accepted risks, which creates a different supervisory position than the same risk not yet identified. If a finding relates to a critical or important function and represents a material ICT risk, it may need to be escalated to the management body and reflected in the institution's risk appetite statement. The remediation plan is a live document; competent authorities may reference open findings in subsequent supervisory dialogues regardless of where you are in the three-year TLPT cycle.

DORA requires a remediation plan addressing findings, submitted with the summary findings as a precondition for attestation. The regulation does not mandate a specific re-test, but competent authorities retain discretion to require follow-up testing as part of their supervisory dialogue. The remediation plan should be treated as a live document subject to ongoing supervisory review.