Timeline & Checklist

From notification letter to attestation.

What your team must do, when it is due, and what to evidence. Once your competent authority issues the formal notification letter, the regulatory clock starts; this page maps the deadlines set by Article 26 and Commission Delegated Regulation (EU) 2025/1190 against a practical 12-step preparation checklist.

How to use this page: this is the programme view of what your team must do and when. For the walkthrough of what happens inside each of the seven phases, see Your TLPT journey →

The regulated clock
T = 0
Notification letter
NCA designates the entity. Clock starts.
T + 3 months
Initiation documents
High-level project plan; CT Lead; comms protocols.
T + 6 months
SSD submission
Scope Specification Document submitted; NCA validates.
≥ 12 weeks
Active red team test
Live production systems; Blue Team unaware.
+ 10 weeks
Purple team & reporting
Mandatory under DORA. Then attestation.

Total engagement: typically 12 to 18 months from notification to attestation, longer for complex Tier 1 institutions. First cycle deadline for most designated entities: 17 January 2028.

Preparation checklist

12 steps from designation to attestation.

Twelve steps grouped into governance, procurement, scoping, execution, and closure. Use this as the spine of your programme plan; map your internal RACI to it.

Governance

2 steps
  1. 1

    Appoint a Control Team Lead with executive authority

    Within T+3 months of notification

    Designate a senior individual (typically reporting to the CISO or COO) who can coordinate across Legal, Procurement, IT, Audit and the security function without compromising test integrity. The CT Lead is the single point of contact for the competent authority.

  2. 2

    Secure management body approval of scope, providers, and remediation framework

    Before SSD submission

    Article 5 places ultimate responsibility for ICT risk on the management body, and Article 26(6) keeps full responsibility for TLPT compliance with the financial entity. Get scope, provider selection, and the remediation framework formally approved at board or risk committee level before the SSD is finalised.

Procurement

2 steps
  1. 3

    Procure an external Threat Intelligence provider

    Within T+3 to T+4 months

    The TI provider must always be external and independent of the red team provider. Article 27 requires accreditation, professional indemnity insurance, and no conflicts of interest. Start procurement immediately; provider capacity is constrained.

  2. 4

    Procure a Red Team provider (or qualify the internal team)

    Within T+4 to T+5 months

    SSM significant credit institutions must use an external red team in every cycle. All other designated entities must use an external red team in at least one of three cycles (the 2-in-3 rule). CREST accreditation is widely recognised as satisfying Article 27. Confirm independence from the entity's existing MSSP and audit relationships.

Scoping & SSD

4 steps
  1. 5

    Map Critical or Important Functions and their underlying ICT

    Within T+4 months

    Article 3(22) defines CIFs as those whose failure would materially impair financial performance, soundness, or regulatory compliance. Inventory all supporting ICT, including third-party services, and map dependencies on ICT third-party providers.

  2. 6

    Define the red team flags

    Before SSD submission

    Flags are specific objectives the red team attempts to reach (e.g. exfiltrating a sample of customer data; disrupting a defined payment-processing function). Choose flags that reflect material business outcomes, not purely technical objectives.

  3. 7

    Submit the Scope Specification Document to the competent authority

    Within T+6 months of notification (hard deadline)

    The SSD must define CIFs in scope, supporting ICT, third-party participation, and the flag set. The TCT validates the SSD before testing can begin. Allow time for iteration; first-cycle SSDs frequently require revision.

  4. 8

    Confirm third-party provider cooperation under Article 30

    Before TI phase begins

    ICT services supporting CIFs that are outsourced must be in scope under Article 26(2). Article 30 requires DORA-compliant contracts to oblige third-party providers to cooperate in TLPT. For shared cloud infrastructure, consider whether a pooled TLPT under Article 26(4) applies.

Execution

2 steps
  1. 9

    Run the Threat Intelligence phase

    T+6 to T+9 months (typically 8–12 weeks)

    The external TI provider produces the Targeted Threat Intelligence report: threat actors most likely to target the entity, their TTPs, and likely attack vectors. The report drives red team scenario design.

  2. 10

    Execute the Red Team phase

    Minimum 12 weeks; typically 12–14

    At least 12 weeks of active testing against live production systems; the Blue Team is unaware throughout. Scenarios must address the full CIA triad (Confidentiality, Integrity, Availability). The Control Team manages communications and any edge-case approvals.

Closure & attestation

2 steps
  1. 11

    Run the mandatory purple teaming exercise

    Within 10 weeks of RT phase ending

    Read the Blue Team in. Replay the attack jointly: every action, every alert that fired or missed, every control that held or failed. Must occur within 10 weeks of red team phase ending. This is the RTS-mandated capability transfer and remediation prioritisation step.

  2. 12

    Submit summary findings, remediation plan, and obtain attestation

    Closing phase

    Submit summary findings, the remediation plan, and execution evidence to the competent authority. The TCT issues the formal TLPT attestation, which underpins EU mutual recognition. The full technical report remains with the entity.

After the first cycle

What happens next.

The default frequency is every three years. The competent authority may adjust this up or down based on the entity's risk profile and operational circumstances (Article 26(3)). For entities permitted internal red teams under the 2-in-3 rule, the third cycle must use an external provider. The threat intelligence provider must always be external.

Remediation tracking continues after attestation. The remediation plan is a live document subject to ongoing supervisory review; unresolved critical findings will surface in your next supervisory dialogue regardless of cycle timing.

Cross-border groups

If you operate as a group with entities supervised in multiple Member States, begin NCA coordination conversations before the SSD submission. Article 26(5) permits a group-level TLPT to satisfy the obligation for multiple group entities, subject to conditions agreed with each relevant competent authority. The requirements on what each subsidiary's critical functions must include can differ across jurisdictions; build that coordination time into your T+6 window.

ECB implementation guidance

The ECB has published implementation guidance for each phase of the TLPT process. These documents are applicable to TIBER-EU and DORA TLPT, and are the most useful operational reference alongside the regulation:

Sources