DORA TLPT & TIBER-BE 

Prove your financial institution can withstand a real, intelligence-led attack on live systems, the way DORA and the National Bank of Belgium expect you to. 

What is Threat-Led Penetration Testing?

Threat-Led Penetration Testing (TLPT) is an advanced form of red teaming that simulates a realistic, intelligence-led attack against your organisation’s most critical functions, on live production systems. Instead of checking a single application, it answers a harder question: if a capable adversary set out to disrupt you, how far would they get, and would you detect and respond in time? 

TLPT combines targeted threat intelligence with covert red team operations across your technical, physical, and human attack surfaces. It is built on the TIBER-EU framework, which Belgium implements as TIBER-BE under the National Bank of Belgium, and it is now mandated by DORA for significant financial entities. 

Why DORA makes this mandatory

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has applied across the EU financial sector since 17 January 2025. Under Articles 26 and 27, financial entities designated as significant must carry out a TLPT at least once every three years. Your competent authority can adjust that frequency based on your risk profile. 

In Belgium, the National Bank of Belgium is the TLPT authority for credit institutions, insurers, payment institutions, and financial market infrastructures, while the FSMA supervises investment firms, fund managers, and similar entities. The NBB’s TIBER-BE team is the central point of contact and coordination for both regulated DORA TLPT and voluntary TIBER-BE tests. Once your authority identifies you, you assign a single point of contact and have three years to complete a test. 

TLPT is not a bigger pentest

A standard penetration test and a TLPT serve different purposes. A pentest validates a defined scope; a TLPT measures your real resilience against an adversary chosen by threat intelligence, with most of your own people unaware it is happening. The table below sets them side by side. 

Dimension 

Standard pentest 

TLPT (DORA / TIBER-BE) 

Scope 

A defined system, application, or network segment. 

The organisation’s critical and important functions, end to end. 

What sets the scope 

An agreed asset list or checklist. 

Bespoke threat intelligence on the adversaries most likely to target you. 

Environment 

Often staging or a bounded production scope. 

Live production systems, exactly as a real attacker would hit them. 

Awareness 

The security team is usually informed. 

Covert. Only a small Control Team knows; the Blue Team does not. 

Attack surface 

Mainly technical. 

Technical, physical, and human combined. 

Duration 

Days to a few weeks. 

Several months across preparation, testing, and closure. 

Regulatory standing 

Good practice. 

Mandatory for significant entities, supervised by the NBB. 

Closure 

A findings report. 

A report plus mandatory purple teaming and a regulator attestation. 

A TLPT does not replace your regular penetration testing. The two are complementary: routine pentests keep individual systems healthy between cycles, while a TLPT stress-tests the whole organisation every three years. 

How a tlpt engagement works

  • Scoping: Your competent authority confirms scope. Together, we define the critical and important functions to be tested and lock the rules of engagement.
  • Control team: A mall, senior internal group, the only people who know the test is happening, manages the engagement and keeps it confidential.
  • Procurement: You engage qualified external providers for threat intelligence and red teaming that meet the DORA Article 27 requirements.
  • Targeted threat intelligence: An external threat intelligence provider profiles your organisation and designs realistic attack scenarios based on the threat actors most likely to target you.
  • Red team execution: Our red team executes those scenarios covertly against your live production systems, across the full attack chain, pursuing agreed objectives without disrupting operations or causing real impact.
  • Reporting: Red team and Blue Team reports document what happened, what was detected and how your defenders responded.
  • Purple Teaming: A collaborative replay with your defenders, mandatory under DORA, turns the findings into concrete detection and response improvements.
  • Remediation and attestation: A prioritised remediation roadmap plus the test summary your competent authority needs to issue its attestation.
  • Control Team: the small internal group, on your side, that commissions and steers the test.
  • Blue Team: your defenders, who are not told about the test and whose detection and response are being measured.
  • Red Teams: Refracted, planning and executing the attack scenarios safely against live systems.
  • Threat Intelligence Provider: an independent provider that produces the intelligence shaping the scenarios.
  • TLPT authority: the NBB, supported by the TIBER-BE team, supervising the process.

What you'll receive

Why test with refracted?

Local, framework fluent

As a Belgian offensive security specialist, we work to the TIBER-BE national implementation and the DORA TLPT standards, and coordinate directly with your Control Team and the NBB.

Safe on live systems

Our red team is built to operate against live production systems with the care and control that financial supervision demands, so testing never becomes a real incident.

End to end

We cover the full TLPT lifecycle, from scenario design through covert execution to the mandatory purple teaming replay with your defenders.

Built for the Article 27 bar

DORA Article 27 sets a high bar for testers: proven technical capability, recognised accreditation or codes of conduct, independent assurance, and professional indemnity insurance. We are set up to meet it.

Who needs a TLPT, and when?

If you are identified

Significant financial entities with mature ICT systems, designated by the NBB, must complete a TLPT within three years of identification and repeat it at least every three years.

Some institutions take part in TIBER-BE on a voluntary basis at the NBB’s invitation, gaining the same learning value without the prudential obligation. 

Even before an identification letter arrives, you can map your critical functions, stand up a Control Team, and engage providers, so you are ready when the clock starts.

We keep your environment secure

At Refracted, we believe everyone deserves to be safe in a digital world, and few sectors carry that responsibility like finance. We bring one of Belgium’s largest offensive security teams to your most critical functions and test them with the rigour that DORA, the NBB, and your customers expect. 

Request your scoping call

A TLPT shows you, with evidence, how a real adversary would move against your critical functions and whether you would catch them, while keeping you on the right side of DORA.

Start with a scoping call and we will map out the scope, timeline, and a clear, fixed-price proposal. 

People also ask

Who has to perform a TLPT?

Significant financial entities with mature ICT systems, as designated by their competent authority. In Belgium that is the NBB for credit institutions, insurers, payment institutions, and market infrastructures. Other institutions may join TIBER-BE voluntarily at the NBB’s invitation. 

How often is a TLPT required

At least once every three years. Your competent authority can increase or reduce that frequency depending on your risk profile and operational circumstances. 

Will the test disrupt our live production systems?

No. The test is controlled. Experienced red team operators work on live systems exactly as a real attacker would, but without real impact, under rules of engagement agreed upfront with your Control Team and the authority. Any potentially risky action is coordinated and safeguarded first.

Can we use our own internal team?

In some cases. DORA permits internal testers under conditions, but the threat intelligence provider must always be external, every third test must use an external red team, and credit institutions classified as significant must always use external testers. Note that the TIBER-EU framework itself does not allow internal testing. 

How long does a TLPT take

The active red team execution typically runs three to four months. The full engagement, from preparation through closure, commonly spans six to twelve months, including the regulatory deadlines for each deliverable. 

What's the difference between TIBER-BE and DORA TLPT?

They are designed to be compatible and pursue the same goal. The main differences are that DORA TLPT is mandatory and part of prudential supervision, while TIBER-BE participation can also be voluntary, and DORA makes purple teaming compulsory. The NBB’s TIBER-BE team coordinates both. 

Scroll to Top