DORA TLPT & TIBER-BE
Prove your financial institution can withstand a real, intelligence-led attack on live systems, the way DORA and the National Bank of Belgium expect you to.
What is Threat-Led Penetration Testing?
Threat-Led Penetration Testing (TLPT) is an advanced form of red teaming that simulates a realistic, intelligence-led attack against your organisation’s most critical functions, on live production systems. Instead of checking a single application, it answers a harder question: if a capable adversary set out to disrupt you, how far would they get, and would you detect and respond in time?
TLPT combines targeted threat intelligence with covert red team operations across your technical, physical, and human attack surfaces. It is built on the TIBER-EU framework, which Belgium implements as TIBER-BE under the National Bank of Belgium, and it is now mandated by DORA for significant financial entities.
Why DORA makes this mandatory
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has applied across the EU financial sector since 17 January 2025. Under Articles 26 and 27, financial entities designated as significant must carry out a TLPT at least once every three years. Your competent authority can adjust that frequency based on your risk profile.
In Belgium, the National Bank of Belgium is the TLPT authority for credit institutions, insurers, payment institutions, and financial market infrastructures, while the FSMA supervises investment firms, fund managers, and similar entities. The NBB’s TIBER-BE team is the central point of contact and coordination for both regulated DORA TLPT and voluntary TIBER-BE tests. Once your authority identifies you, you assign a single point of contact and have three years to complete a test.
TLPT is not a bigger pentest
A standard penetration test and a TLPT serve different purposes. A pentest validates a defined scope; a TLPT measures your real resilience against an adversary chosen by threat intelligence, with most of your own people unaware it is happening. The table below sets them side by side.
Dimension | Standard pentest | TLPT (DORA / TIBER-BE) |
Scope | A defined system, application, or network segment. | The organisation’s critical and important functions, end to end. |
What sets the scope | An agreed asset list or checklist. | Bespoke threat intelligence on the adversaries most likely to target you. |
Environment | Often staging or a bounded production scope. | Live production systems, exactly as a real attacker would hit them. |
Awareness | The security team is usually informed. | Covert. Only a small Control Team knows; the Blue Team does not. |
Attack surface | Mainly technical. | Technical, physical, and human combined. |
Duration | Days to a few weeks. | Several months across preparation, testing, and closure. |
Regulatory standing | Good practice. | Mandatory for significant entities, supervised by the NBB. |
Closure | A findings report. | A report plus mandatory purple teaming and a regulator attestation. |
A TLPT does not replace your regular penetration testing. The two are complementary: routine pentests keep individual systems healthy between cycles, while a TLPT stress-tests the whole organisation every three years.
How a tlpt engagement works
- Scoping: Your competent authority confirms scope. Together, we define the critical and important functions to be tested and lock the rules of engagement.
- Control team: A mall, senior internal group, the only people who know the test is happening, manages the engagement and keeps it confidential.
- Procurement: You engage qualified external providers for threat intelligence and red teaming that meet the DORA Article 27 requirements.
- Targeted threat intelligence: An external threat intelligence provider profiles your organisation and designs realistic attack scenarios based on the threat actors most likely to target you.
- Red team execution: Our red team executes those scenarios covertly against your live production systems, across the full attack chain, pursuing agreed objectives without disrupting operations or causing real impact.
- Reporting: Red team and Blue Team reports document what happened, what was detected and how your defenders responded.
- Purple Teaming: A collaborative replay with your defenders, mandatory under DORA, turns the findings into concrete detection and response improvements.
- Remediation and attestation: A prioritised remediation roadmap plus the test summary your competent authority needs to issue its attestation.
- Control Team: the small internal group, on your side, that commissions and steers the test.
- Blue Team: your defenders, who are not told about the test and whose detection and response are being measured.
- Red Teams: Refracted, planning and executing the attack scenarios safely against live systems.
- Threat Intelligence Provider: an independent provider that produces the intelligence shaping the scenarios.
- TLPT authority: the NBB, supported by the TIBER-BE team, supervising the process.
What you'll receive
- Targeted Threat Intelligence report: A profile of the adversaries relevant to you and scenarios built from it.
- Red Team report: The full attack narrative, the paths taken, the evidence, and which objectives were reached.
- Blue Team report: An honest assessment of what your detection and response capability caught, missed, and how it reacted.
- Purple Teaming workshop: A guided replay with your defenders that converts findings into prioritised, practical improvements.
- Remediation roadmap: A ranked plan ordered by risk reduction, split into quick wins and structural investments.
- Regulator-ready test summary: The documentation your competent authority needs to issue the TLPT attestation.
Why test with refracted?
Local, framework fluent
Safe on live systems
End to end
Built for the Article 27 bar
Who needs a TLPT, and when?
If you are identified
Significant financial entities with mature ICT systems, designated by the NBB, must complete a TLPT within three years of identification and repeat it at least every three years.
Voluntary TIBER-BE
Some institutions take part in TIBER-BE on a voluntary basis at the NBB’s invitation, gaining the same learning value without the prudential obligation.
Preparing ahead
Even before an identification letter arrives, you can map your critical functions, stand up a Control Team, and engage providers, so you are ready when the clock starts.
We keep your environment secure
At Refracted, we believe everyone deserves to be safe in a digital world, and few sectors carry that responsibility like finance. We bring one of Belgium’s largest offensive security teams to your most critical functions and test them with the rigour that DORA, the NBB, and your customers expect.
Request your scoping call
A TLPT shows you, with evidence, how a real adversary would move against your critical functions and whether you would catch them, while keeping you on the right side of DORA.
Start with a scoping call and we will map out the scope, timeline, and a clear, fixed-price proposal.
People also ask
Who has to perform a TLPT?
Significant financial entities with mature ICT systems, as designated by their competent authority. In Belgium that is the NBB for credit institutions, insurers, payment institutions, and market infrastructures. Other institutions may join TIBER-BE voluntarily at the NBB’s invitation.
How often is a TLPT required
At least once every three years. Your competent authority can increase or reduce that frequency depending on your risk profile and operational circumstances.
Will the test disrupt our live production systems?
No. The test is controlled. Experienced red team operators work on live systems exactly as a real attacker would, but without real impact, under rules of engagement agreed upfront with your Control Team and the authority. Any potentially risky action is coordinated and safeguarded first.
Can we use our own internal team?
In some cases. DORA permits internal testers under conditions, but the threat intelligence provider must always be external, every third test must use an external red team, and credit institutions classified as significant must always use external testers. Note that the TIBER-EU framework itself does not allow internal testing.
How long does a TLPT take
The active red team execution typically runs three to four months. The full engagement, from preparation through closure, commonly spans six to twelve months, including the regulatory deadlines for each deliverable.
What's the difference between TIBER-BE and DORA TLPT?
They are designed to be compatible and pursue the same goal. The main differences are that DORA TLPT is mandatory and part of prudential supervision, while TIBER-BE participation can also be voluntary, and DORA makes purple teaming compulsory. The NBB’s TIBER-BE team coordinates both.
