What is DORA (Digital Operational Resilience Act)?

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Who must comply with DORA?

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Is TLPT mandatory for all financial entities?

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

What are the penalties for DORA non-compliance?

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

What is the TIBER-EU framework?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Guide8 min readUpdated September 2025

Red Team vs. TLPT: Key Differences

Why a conventional red team exercise does not satisfy your DORA Article 26 TLPT obligation

The most expensive procurement mistake in DORA compliance is issuing an RFP for a red team exercise, receiving a red team report, and presenting it to your competent authority as TLPT evidence. A CA will not issue a closure letter for a standard red team. The test will not count. And you will have spent six figures on something that resets your 3-year clock only if you redo it correctly. The difference between a red team and a TLPT is not cosmetic — it is legal, operational, and structural.

Bottom Line

A red team exercise does not satisfy DORA Art. 26 TLPT obligations under any circumstances. The two tests differ in intelligence foundation, scope methodology, production system requirements, tester qualification standards, and regulatory submission process. If you are designated for TLPT, you need a provider with verified TLPT/TIBER-EU experience, a Targeted Threat Intelligence report as a discrete phase, direct CA engagement capability, and a track record of obtaining closure letters. Anything less is a red team — useful, but not compliant.

What Auditors Will Actually Look For

A CA closure letter dated within the last 3 years — without this, TLPT is non-compliant regardless of what the Red Team Report says.
Evidence that the Targeted Threat Intelligence (TTI) report was produced as a distinct phase before attack scenarios were designed, not retrofitted afterwards.
Scope documentation showing all critical functions and their supporting people, processes, and technology were included — including material third parties.
Confirmation that testing was conducted on production systems — isolated replica testing requires documented CA agreement.
Tester qualification and independence evidence per the DORA RTS — provider certification claims alone are not sufficient.

Common Mistakes

Procuring a "red team with threat intelligence" and assuming it qualifies as TLPT — the distinction is in the regulatory process, not just the technical methodology.
Running TLPT on staging or test environments because production feels too risky — this is only permitted with explicit CA agreement and a documented rationale.
Excluding a key cloud provider or outsourced processing entity from scope to simplify logistics — this creates a scope gap the CA will identify.
Not engaging the CA before testing begins — TLPT scope must be CA-approved, not just internally agreed.
Accepting a provider's assurance that they "do TLPT" without asking whether they have issued closure letters in prior engagements.

Side-by-Side Comparison

Dimension	Red Team Exercise	DORA TLPT (Art. 26)
Legal basis	No regulatory requirement	Mandatory for designated entities under DORA
Intelligence foundation	Scenario-based (chosen by tester or client)	Threat intelligence-led: entity-specific TTI report produced first
Scope	Defined by entity / tester agreement	Function-led: all critical functions and supporting assets, CA-approved
Target systems	Often test / staging environments	Must include production systems; replicas only by exception
Regulatory submission	Internal report only	Formal report submitted to competent authority
Closure document	None required	Closure letter from CA — mandatory to complete the test
Tester qualification	No regulatory standard	Must meet DORA RTS qualification and independence requirements
Duration	Days to weeks	Months (typically 3–6 months active testing, 9–12 months overall)
Frequency obligation	None	At least every 3 years from CA closure letter date
Blue team notification	Usually announced	Covert or announced — agreed with CA and documented

The Core Difference: Intelligence vs. Scenario

This is the distinction that most providers obscure — and that auditors understand better than procurement teams.

A red team exercise uses attacker scenarios chosen by the provider or agreed with the client: "simulate a ransomware group", "test phishing resilience", "attempt to reach the trading system."
A TLPT begins with a Targeted Threat Intelligence report: structured research into which real-world threat actors specifically target entities like yours, what their tactics, techniques, and procedures (TTPs) are, and what objectives they would pursue against your specific business.
The TTI report drives the attack scenarios — not the other way around. Scenarios are built from evidence, not imagination.
This means a TLPT tests what is actually likely to happen to your specific entity — not a generic financial services adversary profile.
A provider who cannot describe how they produce the TTI report as a discrete deliverable before attack design begins is not running a TLPT.

If your provider designs attack scenarios before completing a TTI report — it is a red team exercise, regardless of what it is called on the invoice.

Why Scope Methodology Matters

Red team exercises are typically scoped to specific systems or attack vectors agreed in advance by the client and provider.
TLPT scope is function-led: it starts from the entity's critical or important functions and expands outward to every system, person, and third party that supports them.
This makes TLPT scope inherently broader and more complex to define — and scope must be agreed with the competent authority before testing begins, not just internally approved.
Excluding a material dependency from scope — a cloud provider, a payment processor, an outsourced SOC — creates a gap the CA will identify. Justify exclusions explicitly or expect to be challenged.

Production Systems: Non-Negotiable

Red team tests are commonly run against test or staging environments — operationally safer, but insufficiently realistic for regulatory purposes.
DORA requires TLPT to target production systems wherever operationally possible. This is a deliberate design choice: the test must reflect real conditions.
Testing in isolated replicas is only permitted where production testing poses unacceptable risk to financial stability — a genuinely high bar that requires documented CA agreement.
Work with your provider to design test execution that minimises disruption risk on production rather than defaulting to a replica. Supervisors know the difference.

When a Red Team Exercise Is the Right Tool

Red team exercises have real value under DORA — they just do not satisfy Art. 26.

As targeted testing under Art. 25 — scenario-based exercises against specific systems or controls count toward the broader testing programme.
As TLPT preparation: running a red team in the 12 months before your regulated TLPT identifies and remediates obvious weaknesses before the CA-overseen test.
For entities not designated for TLPT: red teaming is a high-value testing activity even without a regulatory mandate.
For testing specific controls between TLPT cycles — phishing resilience, EDR detection, SOC response times.

Procurement Checklist: Questions That Separate TLPT Providers

Have they conducted DORA TLPT or TIBER-EU tests — not red teaming generally? Ask for references and client names.
Can they describe how the TTI report is produced as a distinct phase, including methodology, data sources, and timeline?
Have they engaged directly with a competent authority and submitted formal deliverables in prior engagements? Have they obtained closure letters?
How do they demonstrate tester independence and qualification per the DORA RTS? What documentation will they provide?
Do they carry professional indemnity insurance specifically sized for TLPT engagements on production systems?
What is their CA engagement process — do they know how to navigate scope approval and reporting submission with your specific authority?

3-Step Action Checklist

1. This week: if you have an existing red team programme, assess whether any element of it was conducted under a TIBER-XX framework with a CA closure letter. If not, it does not count toward TLPT.
2. This month: if you are TLPT-designated, review your current providers against the procurement checklist above. If your provider cannot answer the TTI and closure letter questions confidently, begin a new RFP process.
3. This quarter: if your next TLPT cycle begins within 18 months, initiate CA pre-engagement now. Scope approval takes time — starting late compresses your testing window and increases delivery risk.

Related Resources

ReferenceRTS on TLPT (Joint ESA Standard)

GuideTLPT Programme Planning Guide

GuideTIBER-EU Framework Explained

TemplateTLPT Provider RFP Template

Need a DORA gap assessment?

Use our free readiness tool to identify your compliance gaps across all five DORA pillars.

Start Free Assessment Talk to a Specialist