RTS on TLPT — Joint ESA Standard

Bottom Line

TLPT is not a glorified penetration test. It is a multi-month, intelligence-led simulation of a real adversary targeting your most critical functions — run on production systems, with your regulator watching. Budget €150k–€400k. Allow 9–12 months. Do not attempt it without an experienced provider.

What Auditors Will Actually Look For

• Formal notification from your competent authority designating you as subject to TLPT — and your documented response.
• A Targeted Threat Intelligence (TTI) report prepared by a qualified, independent Threat Intelligence Provider.
• Evidence that your Red Team Provider meets the qualification requirements (independence, APT experience, financial sector track record, PI insurance).
• A Scoping Report approved by the competent authority before testing began — covering critical functions, systems, people, and third-party dependencies.
• A Red Team Report with full attack narratives, techniques used, vulnerabilities exploited, and lateral movement paths.
• A remediation plan with prioritised findings and target closure dates.
• A Closure Letter from the competent authority confirming the TLPT cycle is complete.

Common Mistakes

• Using a standard penetration testing firm that lacks red team and APT simulation experience — disqualifying under the RTS.
• Scoping TLPT around test environments rather than production — a direct violation unless regulators have approved an exception.
• Treating the TTI report as a formality rather than the operational foundation for scenario design.
• Missing the 3-year cycle deadline because procurement started too late — TLPT takes 9–12 months from kick-off to closure letter.

Who Must Conduct TLPT

TLPT is not mandatory for every DORA-in-scope entity. Your competent authority designates which entities are required, based on systemic importance and ICT risk profile.

• Entities with the highest systemic importance, digital exposure, or critical market infrastructure roles are prioritised.
• TLPT must be repeated at least every 3 years.
• Entities not designated for TLPT must still run the baseline testing programme under Articles 24–25.
• Not yet notified? Assess your likely designation now and start building internal capability — procurement alone takes 3–6 months.

Tester Qualification: The Bar Is High

The RTS is explicit about who qualifies as a TLPT Red Team Provider. Auditors will verify this against your procurement documentation.

• Full independence from the financial entity being tested — no conflicts of interest, no shared personnel.
• External providers required by default; internal teams are permitted only in limited, safeguarded circumstances.
• Demonstrable experience with adversarial simulation, APT tactics, and financial sector environments — not just vulnerability scanning.
• Valid professional indemnity insurance commensurate with the engagement scope.
• The financial entity bears responsibility for verifying qualifications before engagement — not the provider's word alone.

Threat Intelligence: The Part Most Entities Get Wrong

TLPT is "threat-led" because the attack scenarios must reflect real adversaries that would plausibly target your organisation. Generic threat reports fail this test.

• Intelligence must come from a qualified Threat Intelligence Provider (TIP) with financial sector expertise.
• The TTI report must be entity-specific: your geography, your business model, your actual threat actors.
• It must cover realistic TTPs — not a recycled OWASP checklist or generic ransomware briefing.
• The TTI report drives red team scenario design. A weak TTI = a non-compliant TLPT.

Scope: Broader Than You Think

Scope is not just IT systems. It covers the people, processes, and technology that underpin your critical functions — including third parties.

• Map critical functions to ICT assets, systems, and third-party dependencies before the scoping report is written.
• Include privileged users, third-party operators, and outsourced ICT providers in scope where they support critical functions.
• The Scoping Report must be formally agreed with the competent authority before testing begins — this is a regulatory gate, not a formality.
• Production systems are the default. Testing on replicas requires explicit regulatory approval.

Mutual Recognition

For cross-border groups, a single TLPT can satisfy requirements across multiple Member States — but only with advance coordination.

• Lead competent authority coordinates with host authorities to agree scope and accept findings.
• TIBER-XX national variants (TIBER-NL, TIBER-DE, etc.) may be recognised as equivalent to DORA TLPT where competent authorities confirm this in writing.
• Mutual recognition must be agreed before the test begins — not applied retrospectively.

3-Step Action Checklist

• 1. This week: Confirm with your competent authority whether you have been — or are likely to be — designated as subject to TLPT. If uncertain, request clarification in writing.
• 2. This month: Begin provider selection. Define your qualification criteria based on the RTS requirements. Shortlist Red Team Providers and Threat Intelligence Providers separately. Start procurement.
• 3. This quarter: Commission a pre-TLPT readiness assessment. Map your critical functions and ICT dependencies. Draft your Scoping Report. The earlier you engage your regulator on scope, the smoother the approval process.