TLPT Programme Planning Guide

Bottom Line

TLPT is a 9–12 month programme, not a project. Budget accordingly — typically €150k–€400k all-in. The CA engagement, scoping approval, threat intelligence production, and reporting phases each take meaningful time. Start 12+ months before your intended closure date.

What Auditors Will Actually Look For

• Written CA notification with confirmation of the proposed scope and timeline before any testing activity began.
• A Targeted Threat Intelligence report produced by a qualified TIP — specific to your entity, not a recycled sector briefing.
• A Scoping Report agreed with the CA before testing started — covering critical functions, systems, people, and third-party dependencies.
• Red Team Provider qualification evidence: independence, APT simulation experience, PI insurance, regulatory track record.
• Red Team Report with full attack narrative, techniques used, and exploitation evidence.
• A Remediation Plan with prioritised findings, named owners, and target dates.
• A Closure Letter from the CA confirming the 3-year TLPT cycle is complete.

Common Mistakes

• Starting procurement at month 6 instead of month 1 — leaving no time for CA scoping approval before the test window closes.
• Scoping TLPT like a penetration test: defining a list of systems rather than starting from critical functions.
• Using a TIP that produces a generic financial sector threat briefing — this fails the entity-specific intelligence requirement.
• Treating the Blue Team Report as optional — some CAs expect it as a standard deliverable.

Step 1 — Confirm Your TLPT Obligation

TLPT is only mandatory for entities designated significant by the competent authority. But "not yet notified" is not the same as "not in scope".

• TLPT is mandatory for entities identified under Art. 26(8) based on systemic importance, ICT risk profile, and scale of digital operations.
• If not formally notified, assess your profile against these criteria and engage your CA proactively in writing.
• Central counterparties, major banks, and large insurers are almost universally in scope.
• Even if not currently required, build readiness now — designations change and procurement alone takes 3–6 months.

Step 2 — Notify the Competent Authority

CA notification is the first formal gate. Nothing substantive should happen before it.

• Submit a formal written notification: proposed timeline, preliminary scope outline, and intended providers.
• The CA assigns a supervisory contact — establish a communication cadence immediately.
• Check whether your CA maintains a list of recognised TLPT providers before issuing your RFP.
• Obtain written CA confirmation that the proposed scope and timeline are acceptable before proceeding.

Step 3 — Define the Scope

Scope is the most consequential decision in the programme. Too narrow = regulatory rejection. Too broad = unmanageable.

• Start from your critical and important functions as defined in your ICT risk management framework — not from a systems list.
• Map each function to the people, processes, technology, and third-party providers that support it.
• Include third-party and outsourced components where they support critical functions.
• Production systems must be in scope — exclusions require CA justification and formal approval.
• The Scoping Report must be formally agreed with the CA before any test activity begins.

Step 4 — Source Threat Intelligence

The TTI report drives every attack scenario. Weak intelligence produces a non-compliant test.

• Engage a qualified TIP — separate from the Red Team Provider where possible to maintain independence.
• The TIP researches real threat actors targeting your sector, geography, and business model.
• Output: a TTI report with realistic adversary TTPs, likely entry points, and target objectives.
• Allow 4–8 weeks for quality intelligence research. Rushed TTI reports show.
• The TTI report is confidential — share only with the red team and the CA.

Step 5 — Select a Red Team Provider

Your RTP must meet DORA RTS qualification requirements. Verify this during procurement — not after contract signature.

• Issue an RFP structured around DORA Art. 26 RTS requirements (see the TLPT Provider RFP Template).
• Evaluate: APT simulation experience, financial sector track record, independence, and PI insurance.
• Request references from prior TLPT or TIBER-EU engagements — ask specifically about CA closure letters.
• Agree a Statement of Work covering all phases, deliverables, timelines, and escalation procedures.

Test Execution Phases

Active testing runs across three phases. Only the White Team (CISO + senior IT risk) knows the test is live.

Reporting and Supervisory Submission

The test concludes with a formal package submitted to the CA.

• Red Team Report: full attack narrative, techniques, vulnerabilities exploited, and evidence.
• Blue Team Report: detection timeline, response actions, gaps identified.
• Remediation Plan: prioritised findings with owners and target closure dates.
• Closure Letter: issued by the CA once satisfied — formally closes the 3-year TLPT cycle.

Realistic Timeline

3-Step Action Checklist

• 1. This week: Confirm in writing with your CA whether you are designated for TLPT. If uncertain, request a formal position — do not assume.
• 2. This month: Map your critical functions to the people, systems, and third-party providers that support them. This mapping is the foundation of your scoping report and should exist before you engage any provider.
• 3. This quarter: Issue a Request for Information to 3–5 candidate Red Team Providers and Threat Intelligence Providers. Assess qualifications against the DORA RTS criteria. Shortlist before issuing the formal RFP.