Blog: June 2025 DORA TLPT standard has arrived

News & Insights > Blog >

On 18 June 2025, the European Commission published the long-awaited Delegated Regulation (EU) 2025/1190 in the Official Journal.

This regulation sets out the mandatory framework for Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA).

From 8 July 2025, financial entities deemed critical will be required to demonstrate their cyber resilience through red team exercises that simulate real-world attack scenarios.

What does the new DORA TLPT standard mean for financial entities?

The DORA TLPT requirements closely resemble those of established frameworks like TIBER and CBEST. Any entity that has successfully undergone these will find much of the TLPT standard familiar.

However, selection for assessment is no longer based on size alone. Factors such as interconnectedness, service substitutability, and exposure to the threat landscape will carry just as much weight.

The bar is also significantly raised for red-team providers. Organisations can no longer opt for the lowest bidder—competence, independence and integrity are non-negotiable.

How are providers measured?

Red-team service providers must demonstrate:

Proven experience conducting TLPTs aligned with frameworks such as TIBER-EU or CBEST.
Multidisciplinary teams with capabilities in offensive security, threat intelligence, operational security, and social engineering.
Realistic simulation of advanced persistent threats (APTs), tailored to the entity's specific threat profile.
Secure tooling and testing infrastructure.
Documented methodologies aligned to the TLPT lifecycle phases: preparation, threat intelligence, testing, closure, and replay.

To maintain objectivity and avoid conflicts of interest, red-team providers must:

Operate independently of the entity's internal security functions.
Avoid other commercial relationships with the entity.
Undergo external validation.
Be rotated at least every third TLPT, with at least one external team used during this cycle.

Additional measures include:

Formal declarations of interest from all red-team personnel.
No overlap between red and blue team members.
Contractual safeguards to prevent data misuse.
Regulator oversight and visibility.

From best practice to mandatory

The release of the TLPT standard ends nearly two years of uncertainty across the financial sector. Organisations now have definitive guidance on timelines, requirements, and scope.

Most significantly, what was once considered best practice is now mandatory. For systemically important financial entities, TIBER-style red teaming has become a regulatory expectation.

The standard also expands the attack surface under examination. TLPT scenarios must include critical third-party suppliers, reflecting the importance of securing the broader digital supply chain.

What's next?

At AMR CyberSecurity, we anticipate the first wave of mandatory TLPT notifications will begin by Q4 2025. Entities that wait for formal requests may find themselves scrambling for red-team capacity.

Those who proactively launch TLPT exercises in line with the standard will be both compliant and more resilient when the next threat strikes.

Although DORA's TLPT standard is a compliance requirement, its ultimate goal is to improve operational resilience across Europe's financial ecosystem.

For details on how AMR CyberSecurity can support your TLPT readiness, contact us at enquiries@amrcybersecurity.com.

Get in touch for a quote from our experts

Related Resources

How to prepare for the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a crucial regulation within the European Union (EU) aimed at strengthening the digital resilience of financial entities.

About Us

About us

Services

Sectors

News & Insights

News & Insights

Research

Research & Papers

Careers

Careers

Contact

Registered address

AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
UK