What is DORA (Digital Operational Resilience Act)?

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Who must comply with DORA?

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Is TLPT mandatory for all financial entities?

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

What are the penalties for DORA non-compliance?

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

What is the TIBER-EU framework?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Guide15 min readUpdated November 2025

TIBER-EU Framework Explained

How TIBER-EU works, how it relates to DORA TLPT, and what mutual recognition actually requires

The most common question I hear from IT directors who ran TIBER-XX tests before DORA: "Does our existing test count?" The honest answer is: maybe — but only with written confirmation from your competent authority. DORA Art. 26(7) permits recognition of equivalent frameworks, but equivalence is assessed case by case. Do not assume recognition. Do not present a TIBER report to an auditor as DORA TLPT evidence without the closure letter that says it is.

Bottom Line

TIBER-EU is the direct predecessor to DORA TLPT and most national programmes are built on it. A completed TIBER-XX test may satisfy your first DORA TLPT cycle — but only if your competent authority confirms equivalence in writing, the scope and tester qualifications met the DORA RTS standards, and the test was recent enough to be credible. Engage your CA before your TLPT deadline, not after. An unrecognised TIBER test leaves you non-compliant with no runway to run a new one.

What Auditors Will Actually Look For

Written confirmation (closure letter or equivalence decision) from your competent authority — verbal assurance is not sufficient.
Whether your prior TIBER test scope covered all current critical functions — if your business has changed, partial scope is a problem.
Tester qualification evidence: did the Red Team Provider meet the DORA RTS independence and qualification requirements, not just TIBER-EU standards?
Date of the test: pre-2022 TIBER tests are unlikely to be recognised — the regulatory and threat landscape has materially changed.
Remediation follow-through: even a recognised test is a red flag if major findings were never closed.

Common Mistakes

Assuming a prior TIBER test automatically satisfies DORA without seeking CA confirmation — this is the most expensive mistake.
Submitting a TIBER Red Team Report to the CA without a closure letter and expecting it to count.
Using a TIBER test from 2019–2021 as evidence — the scope, standards, and threat landscape make this hard to defend.
Not engaging the CA until after your TLPT deadline has passed — equivalence decisions take time.

The Three TIBER-EU Phases

Phase	Activities	Key Output
1. Preparation	Scope definition, provider procurement, authority notification, White Team setup	Scoping report approved by authority
2. Test	Targeted Threat Intelligence (TTI) report production, red team attack execution across all agreed attack surfaces	Red Team Report + Blue Team Report
3. Closure	Findings debrief, remediation planning, report submission to authority, closure letter issued	Closure letter from competent authority

Key Roles in a TIBER-EU Test

White Team: small internal group (typically CISO + CRO) aware the test is running. Acts as liaison between red team and management. Must not tip off the Blue Team.
Red Team Provider (RTP): the external provider conducting the simulated attack. Must meet TIBER-EU qualification standards — and for DORA recognition purposes, the DORA RTS qualification requirements.
Threat Intelligence Provider (TIP): produces the Targeted Threat Intelligence report that shapes attack scenarios. Can be the same entity as the RTP or separate.
Blue Team: the entity's own security operations and incident response team — typically unaware the test is live. Their detection and response is part of what is being assessed.
Competent Authority: the national supervisor overseeing the exercise. Approves scope, receives reports, and issues the closure letter without which the test is not complete.

TIBER-XX National Variants

TIBER-EU is implemented at national level through country-specific variants. Each follows the same three phases but may have local adaptations in scope thresholds, provider registration requirements, and reporting formats.

Variant	Country	Governing Authority
TIBER-NL	Netherlands	De Nederlandsche Bank (DNB)
TIBER-DE	Germany	Deutsche Bundesbank / BaFin
TIBER-BE	Belgium	National Bank of Belgium
TIBER-DK	Denmark	Danmarks Nationalbank
TIBER-FI	Finland	Bank of Finland
TIBER-NO	Norway	Norges Bank
TIBER-SE	Sweden	Riksbank
CBEST	United Kingdom	Bank of England (pre-Brexit equivalent)

Not all EU Member States have a published TIBER-XX variant. Where no national variant exists, authorities may use the TIBER-EU framework directly or develop DORA-specific TLPT guidance. Check with your CA before assuming your national variant exists.

Mutual Recognition: Does Your TIBER Test Count Under DORA?

DORA Art. 26(7) explicitly allows competent authorities to recognise tests conducted under equivalent frameworks. Whether your test qualifies depends on four factors:

Recency: tests conducted before 2022 are unlikely to be recognised. The DORA RTS requirements introduced standards that older TIBER engagements were not designed to meet.
Scope adequacy: did the test cover all functions and systems that are now classified as critical under DORA? If your business has changed, the original scope may no longer be sufficient.
Tester qualification: did the Red Team Provider and Threat Intelligence Provider meet the DORA RTS independence and qualification requirements — not just TIBER-EU standards?
CA confirmation: this is the non-negotiable step. Get written confirmation from your competent authority that your prior TIBER test satisfies your DORA TLPT obligation for the current cycle.

Do not assume recognition. Do not wait until your TLPT deadline to ask. Equivalence decisions are at the CA's discretion and take time — start the conversation now.

Key Differences: TIBER-EU vs. DORA RTS on TLPT

Dimension	TIBER-EU	DORA TLPT (RTS)
Legal basis	Voluntary ECB framework	Mandatory under DORA Art. 26
Frequency	No fixed requirement	At least every 3 years
Internal testers	Permitted with controls	Restricted; external preferred per RTS
Scope	Critical functions	Critical functions — same principle, stricter definition
Mutual recognition	Between TIBER-XX variants	Across all EU Member States under DORA, CA discretion
Regulatory status	Supervisory tool	Legal compliance obligation with enforcement consequences

3-Step Action Checklist

1. This week: locate your most recent TIBER-XX closure letter (or confirm you have none). If you have one, check the date and scope against your current critical functions.
2. This month: contact your competent authority to initiate the equivalence discussion. Bring your closure letter, Red Team Report, and a current critical functions register.
3. This quarter: if equivalence is not confirmed, begin scoping a DORA-compliant TLPT — including provider procurement and CA pre-engagement — to avoid missing your 3-year cycle deadline.

Related Resources

ReferenceRTS on TLPT (Joint ESA Standard)

GuideTLPT Programme Planning Guide

GuideRed Team vs. TLPT: Key Differences

GuideDORA Testing Hierarchy: What You Need

Need a DORA gap assessment?

Use our free readiness tool to identify your compliance gaps across all five DORA pillars.

Start Free Assessment Talk to a Specialist