The classic trap
The temptation is strong to propose a 'safe' TLPT scope: a well-bounded subset, secondary systems, or worse, a production replica. The CSSF and the BCL, as TIBER-LU authorities, reject such watered-down scopes and require that the critical or important functions identified under DORA Art. 8 are effectively tested in live production. The second pitfall concerns outsourced critical ICT providers: leaving them out of scope means testing an empty shell, since a real attacker will pivot precisely through Azure, AWS, Swift or your outsourced core banking. CSSF Circular 25/882 and RTS 2025/532 require these third parties to be mapped and, where relevant, included in the TLPT scope.
What the CSSF and BCL actually validate in your scoping document
- The consistency between the critical functions declared in the DORA Art. 8 register and those proposed for TLPT (any omission is a red flag).
- The presence of real production systems, not pre-production or UAT environments, with technical proof (CMDB, real flows, real client data).
- The inclusion of critical ICT providers in line with DORA Art. 28-30 and their contractual clauses (audit and test rights, CSSF Circular 22/806).
- The documented justification of any exclusion: a non-testable legacy system must be addressed through a compensating control, not simply scratched out of scope.
- The articulation with CSSF Circular 20/750: TLPT findings must flow into the existing ICT risk management framework, not live in a silo.
- The realistic pivot chain: if your cloud provider hosts the critical function, the red team must be able to reach it in the scenario, even if the technical test stops at the contractual boundary.
How Luxgap automates this risk
Our Luxgap TLPT Scope Architect turns the scoping document drafting, usually a manual 6 to 10 week exercise, into an automated assembly opposable to the CSSF and BCL. The tool cross-references your DORA Art. 8 register, your CMDB (ServiceNow, Lansweeper, Device42), your supplier contracts in Odoo or SAP Ariba and your network flows in Defender for Cloud / Sentinel to reconstruct the true production footprint of each critical function, including third-party dependencies nobody has documented.
- Automatically detects under-declared critical functions by comparing the DORA Art. 8 register with real application flows observed via Azure Sentinel, CrowdStrike or Wazuh.
- Maps the full chain of critical ICT providers (tier 2 and tier 3 subcontractors included) by leveraging CSSF Circular 22/806 and RTS 2025/532.
- Automatically distinguishes real production environments from test environments through DNS fingerprint, TLS certificates, transaction volumes and real client data.
- Generates the scoping document pre-filled in the TIBER-LU Implementation Document format dated 20 June 2025, ready to submit to the BCL TCT (TLPT Cyber Team).
- Produces the documented justification for each inclusion and exclusion, with proposed compensating controls for non-testable legacy systems.
- Directly feeds Circular 20/750 by preparing the post-TLPT remediation channel into your ICT risk management framework.
Available in addition to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real perimeter, with a free 48-hour white audit to measure the gap between your declared DORA register and your effective production exposure before any commitment.
