Your TLPT Journey

Seven phases. 12 to 18 months from notification to attestation.

What happens between the notification letter and the attestation: the work in each of the seven phases, who runs it, and what it produces. The phases follow Articles 26 and 27 of DORA and the operational detail in Commission Delegated Regulation (EU) 2025/1190 and the ECB's TIBER-EU 2025 framework.

How to use this page: this is the walkthrough of what happens in each phase. For what your team must do and when (the regulated deadlines and the 12-step programme checklist), see Timeline & checklist →

Critical deadline

The first DORA TLPT cycle must be completed by 17 January 2028 for most designated entities. A full engagement takes 12 to 18 months from initiation; complex Tier 1 institutions with many critical functions or significant third-party cloud scope should allow more. The practical constraint is provider scarcity: a limited number of TIBER/DORA-accredited red team and threat intelligence providers is now a recognised bottleneck across the EU market, and demand is concentrating into the same delivery windows. As of mid-2026, designated entities that have not yet begun procurement are already inside the window a full engagement requires; provider selection should start immediately.

Engagement timeline

From notification letter to attestation

Setup & closure Threat intelligence Red-team workstream Purple teaming (mandatory)
  1. 01
    Initiation & Formal Designation
    T = 0
  2. 02
    Scoping & Scope Specification Document
    ~3 months
  3. 03
    Threat Intelligence
    8–12 weeks
  4. 04
    Red Team Test
    12 weeks (minimum)
  5. 05
    Red Team Report
    within 4 weeks
  6. 06
    Purple Teaming & Blue Team Report
    within 10 weeks
  7. 07
    Attestation
    Closing phase
Total engagement is typically 12 to 18 months from notification to attestation, longer for complex Tier 1 institutions. Open any phase for the full detail. Phases 05 and 06 run in parallel: the red team report is due within 4 weeks of active testing ending, while purple teaming and the blue team report complete within 10 weeks.
Practical planning tool
Need the programme checklist, not just the phases?
Timeline & checklist
Phase by phase

What happens at each step.

01

Initiation & Formal Designation

T = 0

The competent authority issues a formal notification letter designating the entity for TLPT. This starts the regulated clock: initiation documents are due within three months (project plan, Control Team Lead appointment, communication protocols); the Scope Specification Document is due within six months.

Who's involved
Financial entity senior management, competent authority TLPT Cyber Team (TCT)
Key artefacts
  • · Designation letter
  • · Project initiation documents
  • · Control Team appointment
02

Scoping & Scope Specification Document

~3 months

The Control Team prepares the Scope Specification Document (SSD). This defines the Critical or Important Functions in scope, the underlying ICT systems and third-party services that support them, and the 'flags': specific objectives the red team must attempt to reach (for example, exfiltrating a sample of customer data or disrupting a payment-processing function). The SSD must be validated by the competent authority before testing can begin.

Who's involved
Control Team, supported by competent authority TCT
Key artefacts
  • · Scope Specification Document (SSD)
  • · CIF inventory
  • · Flag definitions
03

Threat Intelligence

8–12 weeks

An external Targeted Threat Intelligence (TTI) provider produces a structured assessment of the threat landscape relevant to the entity: threat actors most likely to target it, their tactics, techniques and procedures, and likely attack vectors. The TTI report drives red team scenario design. Under DORA, the TI provider is always external, with no exception, including for entities permitted to use internal red teams.

Who's involved
External TTI provider, Control Team
Key artefacts
  • · Targeted Threat Intelligence (TTI) report
  • · Attack scenario specifications
External provider required under DORA
04

Red Team Test

12 weeks (minimum)

The red team executes full kill-chain attack scenarios derived from the TTI report against live production systems. The Blue Team is unaware testing is taking place. Under the TLPT RTS, the active red team phase must last at least 12 weeks. Scenarios may include initial access, lateral movement, persistence, and impact simulation against the defined flags.

Who's involved
Red Team provider, Control Team (covertly)
Key artefacts
  • · Red team operational log
  • · Evidence captures
  • · Flag completion records
05

Red Team Report

within 4 weeks

The Red Team Provider submits its full test report to the Control Team within four weeks of completing the active testing phase. This deadline is set by the TLPT RTS and runs in parallel with the purple teaming exercise, not sequentially after it. The report covers attack-path detail, evidence captures, flags reached, and observations on detection.

Who's involved
Red Team Provider, Control Team
Key artefacts
  • · Red team report
  • · Evidence package
  • · Flag completion log
06

Purple Teaming & Blue Team Report

within 10 weeks

Once the active red team phase concludes, the Blue Team is read in. Red and blue teams jointly replay the attack: every action, every alert that fired or did not, every control that held or failed. The TLPT RTS requires the purple teaming exercise to occur, and the Blue Team report to be produced, within 10 weeks of the red team phase ending. Purple teaming is mandatory under DORA; it was only encouraged, not required, under the pre-2025 TIBER-EU framework. A combined remediation plan is prepared, prioritising findings by business impact and exploitability.

Who's involved
Red Team, Blue Team, Control Team, TI provider
Key artefacts
  • · Joint replay session output
  • · Detection gap analysis
  • · Blue Team report
  • · Remediation plan
07

Attestation

Closing phase

The entity submits the summary of findings, the remediation plan, and documentation demonstrating DORA-compliant execution to the competent authority. Only the summary goes to the regulator; the full technical report stays inside the entity. The competent authority reviews these and issues a formal TLPT attestation. The attestation enables mutual recognition: another EU competent authority can accept it in respect of the same entity's TLPT obligation in another Member State.

Who's involved
Financial entity, competent authority TCT
Key artefacts
  • · Summary of findings (to regulator)
  • · Remediation plan (to regulator)
  • · Formal attestation
  • · Mutual-recognition record
Roles

Roles in a TLPT engagement.

Test Manager (TM)
Senior role within the financial entity responsible for overall management of the TLPT programme. Has authority to make decisions within the entity. May be the same person as the Control Team Lead in smaller organisations.
Control Team (CT)
The small, senior group within the financial entity that knows the test is happening. Manages the process, interfaces with providers and the regulator, and maintains confidentiality from the rest of the organisation including the Blue Team. The Control Team Lead must have sufficient authority to coordinate all aspects without compromising test integrity. (Previously called "White Team" under TIBER-EU.)
Blue Team
The entity's defensive personnel, typically the SOC, incident response, and security monitoring functions. Must not know a TLPT is taking place during the active testing phase. After the test, the Blue Team is a core participant in purple teaming.
Red Team Provider
External (or, where permitted, internal) testers executing the attack scenarios. Must meet Article 27 criteria including certification or accreditation, professional indemnity insurance, and verified independence.
Threat Intelligence (TI) Provider
Always external. Produces the Targeted Threat Intelligence (TTI) report that drives scenario design. Must be independent of the red team provider. Where the same firm supplies both, staff separation is required.
TLPT Cyber Team (TCT)
The staff within the competent authority responsible for TLPT matters. The TCT oversees the test, validates the scope, reviews deliverables, and issues the attestation. Under the RTS, the TCT must have at least two qualified staff assigned to each test.
Next
Get the TLPT timeline and preparation checklist.

The engagement clock from notification letter to attestation, broken into 12 steps.

See the timeline