TLPT, CBEST and TIBER-EU.
DORA TLPT traces a direct lineage from CBEST (Bank of England, 2013) through TIBER-EU (ECB, 2018) to its current form as binding EU law. That lineage matters when you have prior test results, or when you operate a UK-EU group with obligations in both regimes.
From CBEST to DORA, in four moments.
- 2013
CBEST: Bank of England launches intelligence-led red teaming
CBEST is created by the Bank of England for the UK's critical financial market infrastructure. It is the first regulator-led framework mandating real threat intelligence to drive scenarios against live production systems. The methodology runs through accredited CREST providers under PRA / FCA supervision.
- 2018
TIBER-EU: the ECB harmonises the approach across the EU
The European Central Bank publishes TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union). It is explicitly modelled on CBEST and is adopted voluntarily by National Central Banks across the euro area and beyond. More than 100 TIBER tests are conducted over the next six years.
- 2022
DORA adopted: TLPT becomes binding EU law
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is adopted on 14 December 2022. Article 26 obliges designated financial entities to perform Threat-Led Penetration Testing. The ESAs are mandated to develop joint Regulatory Technical Standards specifying the operational detail.
- 2025
DORA applies; TIBER-EU is updated to align
DORA becomes directly applicable on 17 January 2025. The ECB updates TIBER-EU to align with the DORA RTS. Commission Delegated Regulation (EU) 2025/1190, the TLPT RTS, is published 18 June 2025 and applies from 8 July 2025. Purple teaming becomes mandatory. The ECB publishes an SSM Supervisory Guide in November 2025 for significant institutions.
Twelve dimensions, side by side.
| Dimension | CBEST (UK) | TIBER-EU | DORA TLPT |
|---|---|---|---|
| Jurisdiction | United Kingdom (PRA / FCA) | European Union (ECB-led, NCBs) | European Union (DORA Regulation 2022/2554) |
| Legal status | Supervisory framework | Voluntary framework adopted by NCBs | Binding EU law via RTS 2025/1190 |
| Year operationalised | 2013 | 2018 (in use from 2019) | Applicable from 17 January 2025; RTS from 8 July 2025 |
| Live production systems | Yes | Yes | Yes; mandatory under Article 26(2) |
| External TI provider | Required | Required | Required: always, no exceptions |
| Internal red team | No; accredited external providers required | Not addressed explicitly | Permitted for 2 of 3 cycles; banned for SSM significant credit institutions |
| Purple teaming | Encouraged | Encouraged (pre-2025) | Mandatory (RTS 2025/1190) |
| Function scope term | Critical Function (CF) | Critical Function (CF) pre-2025 | Critical or Important Function (CIF) per Art. 3(22) |
| Control team name | White Team | White Team (pre-2025) | Control Team |
| Scenario CIA coverage | Not explicitly required | Not explicitly required pre-2025 | Required: scenarios must address C, I, and A |
| Delivery timelines | Guidance-based | Guidance-based pre-2025 | Codified in binding RTS (≥12-week test; 4-week RT report; 10-week purple/blue report) |
| Mutual recognition | UK supervisory only | Cross-NCB cooperation under framework | Statutory mutual recognition among EU competent authorities |
| Penalties on failure | Supervisory dialogue / regulatory action | Framework-level | Up to Member-State-specified administrative penalties under Art. 50 |
Swipe sideways to compare all four columns →
What changed when TIBER-EU aligned to DORA.
On 11 February 2025 the ECB published an updated TIBER-EU framework aligned with the DORA RTS. The November 2025 ECB SSM Supervisory Guide added implementation detail for significant institutions under the Single Supervisory Mechanism.
The material changes for entities running TIBER-EU tests after February 2025:
- ·Purple teaming became mandatory; previously encouraged. The 10-week-from-RT-phase deadline is codified.
- ·Function scope shifted from CF to CIF to align with DORA Article 3(22). The change is operationally significant: the universe of in-scope functions broadens.
- ·The White Team is now the Control Team. Same role, different label.
- ·CIA triad coverage is required: scenarios must address Confidentiality, Integrity, and Availability. Entities cannot limit scenarios to a subset of the triad.
- ·Delivery timelines are now codified in the RTS, not guidance-based. The 12-week minimum active testing window, the 4-week RT report deadline, and the 10-week purple team window are enforceable obligations.
- ·Pooled and group testing provisions (Article 26(4) and 26(5)) replace ad hoc arrangements for shared cloud infrastructure and cross-border groups.
If you have UK-EU dual exposure
Post-Brexit, CBEST remains the UK-specific framework operated by the PRA and FCA. DORA mutual recognition does not extend to CBEST results. An entity that has completed a CBEST test cannot present that attestation to an EU competent authority as satisfying its DORA TLPT obligation.
In practice, UK-headquartered groups with EU subsidiaries (or vice versa) face parallel programmes: one CBEST cycle for the UK estate, one DORA TLPT cycle for the EU estate. The methodology overlap is substantial, but the regulatory regimes are distinct. (No formal bilateral UK-EU recognition arrangement had been identified in primary sources as of June 2026. Verify with your competent authorities.)
Prior CBEST or TIBER-EU experience is materially relevant to DORA TLPT readiness. Your team has run an intelligence-led test before. The Control Team has worked covertly with a Red Team. Your senior management understands what a flag set looks like. None of that experience transfers automatically into a DORA attestation, but it does shorten the path.