Find a Vetted
DORA Testing Provider
Selecting the right TLPT provider is one of the most critical decisions in your DORA compliance programme. DORA Article 26 sets strict tester qualification requirements — not every penetration testing firm qualifies.
We match EU financial entities with pre-vetted TLPT providers, red team operators, and ICT risk specialists at no cost. Providers in our network meet DORA Article 26 RTS qualification criteria and have TIBER-EU or equivalent experience.
What Qualifies a DORA TLPT Provider?
DORA sets specific requirements for external testers. Here is what to look for — and what to ask in your RFP.
DORA Article 26 Compliance
Providers must meet the tester independence and qualification requirements specified in the Joint ESA RTS on TLPT. This includes demonstrating no undue dependencies on the tested entity.
TIBER-EU / TIBER-XX Experience
Demonstrated experience with the TIBER framework is a strong indicator of DORA TLPT readiness. Providers should hold prior TIBER-EU or national TIBER-XX red team provider certifications.
Financial Sector Specialisation
TLPT for financial entities requires deep understanding of financial sector threat actors, trading systems, core banking architecture, and regulatory reporting infrastructure.
Threat Intelligence Capability
DORA TLPT is intelligence-led. Providers must have access to credible, current threat intelligence sourced from reputable Threat Intelligence Providers (TIPs) with EU financial sector focus.
Supervisory Reporting Experience
The TLPT process requires formal engagement with competent authorities, including notification, scope approval, and post-test reporting. Providers must have navigated this process before.
Cross-Border Mutual Recognition
For groups operating in multiple EU jurisdictions, providers should understand the DORA mutual recognition framework so that a single test can satisfy requirements in multiple member states.
Get Matched in 24 Hours
Tell us what you need. We review your requirements and make targeted introductions to providers in our network who are right for your entity type, jurisdiction, and timeline.
Transparency: This service is free for financial entities. We receive a referral fee from providers when they successfully complete an engagement. This does not affect provider selection — we only introduce providers who meet your requirements.
Provider FAQs
How does the provider matching process work?
You submit a brief description of your service needs, entity type, and timeline. We review your requirements against our network of vetted providers and make targeted introductions within 24 business hours. There is no cost to you — providers pay a referral fee when engagements are completed.
Is TLPT mandatory for my organisation?
TLPT is mandatory for "significant" financial entities as determined by your national competent authority under DORA Article 26. The significance assessment considers factors including size, systemic importance, and ICT risk profile. Use our TLPT Scope Checker tool for a preliminary assessment, but the formal determination rests with your supervisor.
How long does a full DORA TLPT take?
A complete DORA-compliant TLPT programme, from initial engagement with the competent authority to final report submission, typically takes 6–12 months. This includes preparation, threat intelligence gathering, the test execution phase (typically 8–12 weeks), and the remediation and reporting phases.
Can an internal team conduct TLPT?
DORA requires external testers for TLPT in most cases. Internal red team members may only participate under exceptional circumstances with explicit supervisory approval, and independence requirements must still be met. The threat intelligence function must always be externally sourced.
What does it cost to hire a TLPT provider?
TLPT engagements vary significantly based on scope, entity size, and test complexity. Typical DORA TLPT programmes for mid-size financial institutions range from €150,000 to €500,000+. We can help you scope requirements and obtain competitive proposals from our network.
Not Sure What You Need?
Run our free DORA readiness assessment first. It will clarify your testing obligations, entity classification, and likely TLPT requirement before you engage a provider.