Building cyber resilience in practice: TLPT and TIBER-LU under DORA and beyond

From traditional testing to threat-led realism

A key message of the conference was the fundamental difference between traditional penetration testing and TLPT/TIBER exercises.

While classic penetration tests are usually short, scoped and conducted outside live production environments, TLPT and TIBER exercises are intelligence-led, long-running and executed on live systems. They focus on an institution’s most critical functions and so-called “crown jewels”.

Based on up-to-date threat intelligence, these exercises simulate realistic attacker behaviour over several months. They test not only technical controls, but also detection capabilities, escalation paths, decision-making and crisis management.

A defining feature is that the defensive “blue team” remains unaware of the exercise, ensuring an authentic assessment of how the organisation reacts to what appears to be a real cyberattack.

TLPT, TIBER and DORA: clarity of roles

The conference also clarified how TLPT and TIBER fit within the regulatory framework:

• TLPT is a regulatory requirement under DORA, applicable to a limited number of systemically relevant and sufficiently mature entities.
• TIBER-EU is the operational framework used to conduct TLPTs and can also support voluntary threat-led tests.
• TIBER-LU is Luxembourg’s national implementation, jointly operated by the BCL and the CSSF through the TIBER Cyber Team (TCT), which supports institutions throughout the entire testing lifecycle.

Governance, risk control and operational discipline

Discussions highlighted that governance is a decisive success factor for TLPT exercises. The control team must remain as small as possible, while being sufficiently empowered to manage the exercise, take decisions and contain potential escalation.

In practice, this typically involves the CISO as Control Team Lead, supported by a limited number of senior experts and, increasingly, a dedicated project manager to ensure coordination and discipline over the full duration of the test.

Lessons from practice: insights from the panel discussion

The panel discussion brought a strong practitioner perspective, combining views from financial institutions, threat intelligence providers, red team experts and supervisors.

Panellists underlined that the success of a TLPT depends less on technical sophistication than on preparation, ownership and mindset. Key success factors include:

• strong project management from the outset,
• a well-sized and trusted control team,
• a shared understanding that TLPT is neither a personal assessment nor a box-ticking exercise, but a collective learning process.

Learning over scoring

TLPT exercises are intentionally demanding. They often span more than a year and require significant internal and external resources.

As emphasised throughout the event, TLPT is not a pass-or-fail exercise, but a learning journey designed to translate realistic attack experience into tangible improvements through remediation, follow-up and, increasingly, purple teaming approaches.