What is DORA (Digital Operational Resilience Act)?

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Who must comply with DORA?

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Is TLPT mandatory for all financial entities?

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

What are the penalties for DORA non-compliance?

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

What is the TIBER-EU framework?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Guide15 min readUpdated Q1 2026

TLPT Provider RFP Template

A ready-to-use Request for Proposal for selecting a DORA-compliant TLPT provider

Selecting the wrong TLPT provider means running the test again. Providers without TIBER-EU or DORA TLPT track records, generic threat intelligence, or no experience seeing a CA closure letter through to the end will cost you time, money, and regulatory friction. The questions below separate credible providers from those who simply call themselves red teamers.

Bottom Line

Your TLPT provider selection is a regulatory decision, not a procurement exercise. The DORA RTS sets explicit qualification requirements — your RFP must screen for them. A provider that has never delivered a CA closure letter is high-risk. Ask the hard questions before shortlisting, not after contract signature.

What Auditors Will Actually Look For

Evidence that you issued a structured RFP aligned to DORA Art. 26 RTS qualification requirements.
Documented evaluation criteria and scoring — not just a price comparison.
Verification of tester independence: no team member worked for your entity in the past 3 years.
PI insurance confirmation for the engagement scope.
References from prior TLPT or TIBER-EU engagements — with CA closure letters as the evidence bar.
A signed confidentiality and data processing agreement before any engagement activity begins.

Common Mistakes

Shortlisting based on penetration testing credentials rather than TLPT or TIBER-EU track records — different skill sets.
Not requesting a sample TTI report — the single best predictor of threat intelligence quality.
Accepting "we can sub-contract" without asking who the sub-contractors are and whether they meet RTS standards.
Skipping the methodology presentation — a provider who can't articulate their TLPT process clearly will struggle to execute it.

Section 1 — Organisation and Background

Establish baseline credentials before evaluating any technical proposal.

1.1 Provide your legal name, jurisdiction of incorporation, and years in operation.
1.2 Describe your TLPT and TIBER-EU engagement history in the EU financial sector. List references (anonymised if required).
1.3 How many TLPT/TIBER engagements completed in the past 3 years? In which sectors?
1.4 Have any of your TLPT reports been rejected or required significant rework by a competent authority? If yes, explain.
1.5 Provide current professional indemnity insurance coverage details and limit.

Section 2 — Tester Qualifications (DORA Art. 26 RTS)

Independence and technical competence are RTS requirements — not desirable extras.

2.1 List qualifications and certifications of the proposed red team lead and key team members (CREST, OSCP, CRTO, or equivalent).
2.2 Confirm that no proposed team member has been employed by or consulted for [Entity Name] in the past 3 years.
2.3 Describe your QA process: who reviews findings before the report is finalised?
2.4 Have team members received specific training on the DORA RTS on TLPT? Provide evidence.
2.5 If proposing to use sub-contractors, identify them and confirm they meet the same qualification standards.

Section 3 — Threat Intelligence Capability

Generic sector briefings fail the entity-specific intelligence requirement. Probe this section hard.

3.1 Do you provide threat intelligence in-house or through a third-party TIP? If third-party, identify them.
3.2 Describe your methodology for producing TTI specific to our sector, geography, and business model.
3.3 What primary and secondary intelligence sources do you use (closed-source feeds, dark web, OSINT)?
3.4 Provide a sample TTI report structure (redacted) from a prior financial sector engagement.
3.5 How do you ensure intelligence is current and not recycled from prior engagements?

The sample TTI report is the most revealing document a provider can submit. A generic sector briefing is an immediate disqualifier.

Section 4 — Methodology and Execution

The methodology must cover the full attack lifecycle with explicit handling for high-risk scenarios.

4.1 Describe your end-to-end TLPT methodology from scope agreement through to report delivery.
4.2 What attack phases do you execute as standard? (Reconnaissance, initial access, post-exploitation, lateral movement, objective completion.)
4.3 How do you handle discovery of critical zero-day vulnerabilities or active compromise during the test?
4.4 Describe your escalation procedure if a test action causes unintended service disruption.
4.5 How do you ensure test activities remain within agreed scope and do not impact out-of-scope systems?
4.6 What is your approach to testing third-party provider components included in scope?

Section 5 — Reporting and Supervisory Deliverables

The reporting package must satisfy the CA, not just the internal client.

5.1 What deliverables do you produce as standard? (Red Team Report, Blue Team Report, Remediation Plan, Executive Summary.)
5.2 Provide a sample report table of contents from a prior TLPT engagement.
5.3 How do you classify and prioritise findings? What severity framework do you use?
5.4 Describe your experience engaging directly with competent authorities during and after TLPT exercises.
5.5 Do you offer re-testing of critical findings as part of the standard engagement?

Section 6 — Confidentiality and Data Handling

TLPT involves access to production systems and sensitive data. The engagement's own security must be contractually assured.

6.1 Describe your data handling and information security controls during the engagement.
6.2 How are findings, evidence, and reports stored and transmitted? What encryption standards apply?
6.3 What is your staff vetting process for personnel working on TLPT engagements?
6.4 How long is engagement data retained after project closure? Can we require deletion?
6.5 Confirm your willingness to sign a tailored confidentiality and data processing agreement.

Evaluation Scoring Matrix

Score all shortlisted providers against the same criteria. Document scoring before final selection.

Criterion	Weight	Scoring Guidance
Technical capability and methodology	30%	Depth of methodology, attack phase coverage, handling of edge cases
Tester qualifications and independence	25%	Certifications, sector experience, DORA RTS compliance verification
Threat intelligence quality	20%	In-house vs. third-party, source breadth, sample TTI quality
Reporting and CA experience	15%	Report quality, closure letter history, CA engagement track record
Confidentiality and security controls	10%	Data handling standards, vetting rigour, contractual flexibility

Shortlist a maximum of 3 providers. Require a methodology presentation before final selection — how a provider explains their process is as telling as what they write.

3-Step Action Checklist

1. This week: Draft your long-list of candidate providers. Focus on TLPT and TIBER-EU track record — not general red team reputation. Check whether your CA maintains a recognised provider list.
2. This month: Issue a Request for Information (not yet a full RFP) to 5–7 providers using the Section 1–3 questions above. Use the responses to shortlist to 3 before issuing the full RFP.
3. This quarter: Issue the full RFP, score proposals against the evaluation matrix, and invite shortlisted providers to present their methodology. Complete provider selection before committing to a CA notification timeline.

Related Resources

ReferenceRTS on TLPT (Joint ESA Standard)

GuideTLPT Programme Planning Guide

GuideTIBER-EU Framework Explained

GuideRed Team vs. TLPT: Key Differences

Need a DORA gap assessment?

Use our free readiness tool to identify your compliance gaps across all five DORA pillars.

Start Free Assessment Talk to a Specialist