DORA mandates TLPT: TIBER-EU as the operational map for financial SMEs

DORA has been fully applicable since January 17, 2025. Among its obligations is Threat-Led Penetration Testing — a cyber resilience test that bears little resemblance to classic penetration tests. TIBER-EU — the European Central Bank's framework — is the operational map for conducting it. Here is what it means in practice for a financial SME.
What DORA Art. 26 requires
Regulation (EU) 2022/2554 — DORA — has applied since January 17, 2025 to banks, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central counterparties and many other financial entities. Art. 26 introduces, for significant entities — identified by the competent authority — the obligation to conduct a Threat-Led Penetration Test (TLPT) at least every three years.
TLPT is not a traditional pentest. It must cover real production systems, be driven by entity-specific threat intelligence, and follow a framework recognised by the competent authority. TIBER-EU — updated in 2024/2025 to align with the DORA Regulatory Technical Standards — is the operational reference for most European countries.
TLPT ≠ Penetration test: the difference that matters
A traditional pentest starts from a defined technical scope, uses standardised methodologies (OWASP, PTES) and looks for known vulnerabilities. It is useful, but tells only part of the story.
TLPT starts from a different question: which real threat actors would target this specific organisation, and how? The answer is provided by an accredited CTI provider (Cyber Threat Intelligence), who builds a bespoke attack scenario — not a generic one. Only then does an accredited Red Team provider execute the simulation, on real production systems, attempting to compromise the entity's critical functions. The Blue Team — the internal defenders — does not know the test is under way (or only knows partially).
The output is not a list of CVEs to patch: it is an assessment of real operational resilience, covering people, processes and technology together.
The three phases of TIBER-EU
The TIBER-EU framework structures the test into three main phases:
- Preparation. The tested entity sets up a White Team (internal staff aware of the test), defines the scope with the competent authority, and selects CTI and Red Team providers through documented procurement procedures.
- Testing. The CTI provider produces a Targeted Threat Intelligence Report — an analysis of threats specific to the entity. On this basis the Red Team plans and executes the attack simulation against critical functions in production. The Blue Team operates normally, unaware that the test is active.
- Closure. Red Team and Blue Team produce separate reports. A purple teaming session follows — collaboration between attackers and defenders — to share the techniques used and identify detection gaps. The final output is a prioritised remediation plan and a formal attestation to be submitted to the competent authority.
Who needs to act (and who should prepare)
The direct TLPT obligation falls on significant entities designated by the competent authority — typically the largest and most systemically relevant institutions. For financial SMEs (fintechs, small payment institutions, fund managers) designation depends on the national regulator's judgment.
But there is a second level of relevance: even if you are not directly required to perform TLPT, TIBER-EU is the market benchmark. Your institutional clients and larger counterparties use it; outsourcing contracts and third-party questionnaires will increasingly ask whether you have conducted this type of test. The market always anticipates the regulator.
In addition, critical ICT providers of significant entities — even if not directly subject to DORA as financial entities — may be included in the test scope at the request of the tested entity.
The Tomato Blue perspective
Preparing a financial entity for TLPT is not just a technical matter. It requires:
- Gap analysis against DORA/TIBER-EU requirements — understanding where you are and where you need to be before engaging providers
- Definition of critical functions — which processes, systems and data are within the test scope (and why)
- Process governance — setting up the White Team, managing confidentiality, aligning legal, IT and management
- Post-test management — turning Red Team findings into a remediation plan the competent authority can validate
The difference between a formally completed test and one that delivers real value lies entirely in this preparation.
In summary
DORA does not ask for a bigger pentest. It asks for a simulation of a real attack, with real intelligence, on real systems — and for proof that the organisation knows how to respond. TIBER-EU is the operational manual for doing so. Understanding it — even before being designated — is already a form of resilience.
Sources
Prepare your entity for DORA TLPT
Tomato supports financial SMEs through DORA gap analysis, TIBER-EU scope definition and the governance of the Threat-Led Penetration Testing process — from preparation to attestation.
Talk to us →