Threat Led Penetration Testing (TLPT)

Mandatory testing under DORA

Dora authorises De Nederlandsche Bank (DNB) to identify financial institutions that are licensed or that apply for a licence to DNB. This identification requires financial entities to conduct Threat-Led Penetration Testing (TLPT) if they meet DORA’s qualitative and quantitative requirements. To this end, DNB formally instructs them to carry out TLPT under DORA.

TLPT in brief

A TLPT test simulates realistic cyber attacks that are conducted and overseen based on the TIBER-EU framework. The test goes through a set test procedure, with fixed timelines and several mandatory deliverables. These elements are required to ensure the test proceeds in a controlled manner and meets DORA’s requirements. Once the test has been completed according to these requirements, TCT-DNB will issue a formal confirmation to your institution, known as the 'attestation'. This can serve as proof that the test has met the quality requirements set.

The TLPT process at a glance

The test starts with a notification from TCT-DNB to your institution that marks the official start of the testing process. You then prepare the initiation documents and start the procurement and scoping activities. Once these activities are completed, the testing phase begins. The testing process ends with the preparation of a test summary in which you capture your institution’s learning points and possible improvement actions. Once the testing process has been completed according to the requirements, TCT-DNB issues the formal attestation.

How a test works

After you have mapped your institution’s critical and important functions, TCT-DNB provides you with the Generic Threat Landscape (GTL). In this document, TCT-DNB has identified the generic threats, developments and actors which it observes in the financial sector. A specialised external party then examines which specific threats are most realistic and impactful for your institution. It does so on the basis of the GTL and current and specific threat information held by the specialised party itself. This intelligence provides insight into which hacker groups may be interested in your institution and what tactics, techniques and procedures they are likely to use in a cyber attack.

Based on this intelligence, a specialised party of ethical hackers prepares several realistic attack scenarios. These are simulated in a controlled manner in your institution's production systems, potentially targeting people, processes and IT infrastructure.

To ensure absolute confidentiality and maximise learning, only a select number of people in your institution are aware that this test is taking place. After all, a real attack is never announced in advance. This allows you to further strengthen your detection and response capabilities and enhance your cyber resilience.

The TIBER-EU framework and related documents

The publications below provide insight into the framework TCT-DNB uses to oversee TLPT testing.

Statutory framework and TIBER-EU framework for TLPT

• DORA Regulation 
• TIBER-EU framework for TLPT 
• TIBER-EU Implementation Document TCT-DNB

Related documents (guidance)

• TIBER-EU Guidance for Service Provider Procurement 
• TIBER-EU Control Team Guidance 
• TIBER-EU Purple Teaming Guidance 
• TIBER-EU Initiation Documents Guidance
• TIBER-EU Scope Specification Document Guidance 
• TIBER-EU Targeted Threat Intelligence Report Guidance 
• TIBER-EU Red Team Test Plan Guidance 
• TIBER-EU Red Team Test Report Guidance 
• TIBER-EU Blue Team Test Report Guidance 
• TIBER-EU Test Summary Report Guidance 
• TIBER-EU Remediation Plan Guidance 

TCT-DNB sample deliverables (formats)

TCT-DNB offers the following formats that can optionally be used when conducting a TLPT test:

• TLPT QA checklist format 
• ABRI and contact details format 

More information

For more information, please contact tct@dnb.nl.