TLPT (threat‑led red team): the answer to DORA Articles 26‑27

Excerpt: DORA requires “significant” financial entities to conduct threat‑led penetration tests on production systems. Here is how a structured TLPT implementation addresses Articles 26‑27, point by point.

What the law requires

Regulation (EU) 2022/2554 (“DORA”) has applied since 17 January 2025. Its Articles 26‑27 establish an advanced testing regime: certain entities, designated by the competent authority, must run a Threat‑Led Penetration Test (TLPT) based on realistic attack scenarios and executed on production systems, covering “several or all” of their critical or important functions. Tests must be performed by external providers meeting independence, competence and ethics criteria, with strict planning, governance, security and confidentiality requirements. After completion, the authority issues an attestation enabling mutual recognition across EU competent authorities, and the entity must address findings and, if needed, perform a retest. See official text: EUR‑Lex – DORA, Art. 26‑27. The CSSF confirms the application date and clarifies that it is the TLPT authority in Luxembourg for supervised entities, with TIBER‑LU (national adaptation of TIBER‑EU) as the operational reference: CSSF – DORA application, CSSF – ICT and cyber risk (TLPT/TIBER‑LU). For the TIBER‑EU method (the EU framework for intelligence‑led ethical testing), see the European Central Bank: ECB – What is TIBER‑EU?. For a practical overview of the DORA framework in Luxembourg, visit our DORA Luxembourg page and the regulatory focus DORA.

The technical solution (state of the art)

TLPT is not a traditional “pentest.” It is a red team exercise driven by targeted threat intelligence (TTPs, actors, campaigns relevant to your sector and technology footprint). In practice:

• Targeted threat intelligence (TI): multi‑source collection (CTI, credential leaks, dark web, sector reports) to design plausible attack scenarios. Context reference: ENISA – Threat Landscape.
• Scenario design and rules of engagement: selection of attack paths towards critical functions (payments, custody, core banking, scheduling/orchestration systems), safety boundaries, execution windows, stop and de‑escalation procedures.
• Testing in production: controlled execution (red team OPSEC, deconfliction, recording) in production environments as required by Art. 26. Exercises may include initial access (targeted phishing or exploitation), lateral movement, privilege escalation, limited domain dominance, and achieving verifiable business objectives.
• Defensive observation: measuring blue team detection and response (SOC, EDR/XDR, SIEM) without initial notice, then a purple team phase (technical sharing and guided replay) to embed lessons learned. TIBER‑EU frames this interplay: ECB – TIBER‑EU. To strengthen detection during and after the exercise, consider our managed SOC.
• Reporting, remediation, retest: structured report (attack chains, evidence, detection metrics), prioritised action plan, post‑fix validation and authority attestation where applicable (EU mutual recognition). Legal basis: DORA, Art. 26‑27.

Useful frameworks:

• ISO/IEC 27001 / 27002 (2022): vulnerability management, security testing, and SMSI continual improvement (aligning TLPT with control effectiveness).
• NIST CSF 2.0: “Detect” (DE.AE – anomaly detection) and “Respond” (RS.AN – incident analysis) functions boosted by TLPT insights.
• CIS Controls v8: Control 18 “Penetration Testing” and Control 13 “Network Monitoring and Defense,” used to structure corrective actions from TLPT.

On “Level 2” (delegated/implementing measures), the European Commission publishes technical standards detailing execution points, including advanced testing: European Commission – DORA Level 2 measures.

How Luxgap delivers it

Our TLPT approach aligns with DORA and TIBER‑LU, under zero‑surprise governance:

• ISO 27001 governance: our certified Lead Implementers/Auditors define scope (critical functions), materiality analysis, ICT dependency mapping, and the documentation expected at test closure (test dossier, risk traceability, remediation plan).
• Our dark web monitoring: we feed the threat intelligence phase with concrete indicators (exposed credentials, code leaks, emerging toolkits) to build relevant scenarios mapped to observed TTPs in the sector (context via ENISA – Finance sector and Threat Landscape). To enrich this collection, see our dark web monitoring service.
• Our managed SOC (if selected): during the exercise we instrument telemetry (SIEM/XDR), capture signals, compare detection time and quality against scenario TTPs, then run a purple session to turn findings into detection rules and playbooks.

In practice we proceed in five steps: (1) scoping and initial notification to the authority where required by TIBER‑LU/CSSF; (2) TI production and scenario design; (3) rules of engagement and safeguards (stopping points, backups, continuity plan); (4) execution in production with full logging and deconfliction meetings; (5) reporting, action plan, retest and attestation dossier preparation. DORA requirements for qualified and independent external testers (Art. 27) are embedded in our contracts and role separation.

Concrete case in Luxembourg or the EU

A Luxembourg investment services firm, supervised by the CSSF and designated for TLPT scope, contracted Luxgap for an exercise targeting its “execution/clearing” function. Scenarios (inspired by recent sector attacks, corroborated by our watch and the ENISA Threat Landscape) aimed to compromise an operator workstation, move laterally to the flow orchestrator and alter orders. The production exercise under TIBER‑LU revealed: insufficient EDR visibility on a legacy segment, improvable SIEM correlation rules, and a need to harden IAM for technical accounts. Measures were implemented and verified in retest, then the dossier was submitted to the CSSF for attestation in line with DORA Art. 26‑27 and TIBER‑EU/TIBER‑LU.

First practical steps

1. Check your TLPT eligibility: confirm with your authority (CSSF for financial entities in Luxembourg) whether you fall under DORA Art. 26 and the TLPT/TIBER‑LU regime. Ref.: CSSF – TLPT.
2. Map your critical functions: align your register of “critical or important” functions and their ICT dependency chains (on‑prem, cloud, third parties); this forms the TLPT core scope.
3. Prepare rules of engagement: define early the backups, execution windows, technical crisis cell and stop mechanisms; secure the necessary authorisations to operate in production.
4. Strengthen detection and logging: before testing, ensure SIEM/XDR collect the right logs in the right places to maximise learning value. A managed SOC can accelerate both preparation and outcome exploitation.
5. Select compliant partners: demand independence, TIBER‑EU/TIBER‑LU experience, and the ability to provide a complete dossier (test plan, evidence, action plan and retest) aligned with DORA Art. 26‑27. For regulatory context, see our DORA page. To discuss your case, contact us.

Official sources

• EUR‑Lex – Regulation (EU) 2022/2554 (DORA), Art. 26‑27
• CSSF – DORA application (reminder and precedence over circulars)
• CSSF – ICT and cyber risk (TLPT authority role and TIBER‑LU adoption)
• European Central Bank – TIBER‑EU (framework and guides)
• European Commission – DORA Level 2 measures (RTS/ITS)
• ENISA – EU Threat Landscape