Article 27: Requirements for testers for the carrying out of TLPT

To meet the article 27: requirements for testers for the carrying out of tlpt requirement, you must select and contract only TLPT testers who meet DORA’s eligibility conditions, then prove it with documented due diligence, independence controls, and governance over how testing is planned, executed, and remediated. Your fastest path is a tester qualification checklist tied to procurement gates and a retained evidence pack. (Regulation (EU) 2022/2554, Article 27)

Key takeaways:

• Build a tester qualification standard and make it a hard gate in procurement before any TLPT work starts. (Regulation (EU) 2022/2554, Article 27)
• Keep a repeatable evidence pack: selection rationale, independence attestations, competence proof, contracts, and oversight records. (Regulation (EU) 2022/2554, Article 27)
• Operate a cross-functional workflow (security, ICT risk, legal, procurement, business owners) so tester access, scope, and reporting stay controlled. (Regulation (EU) 2022/2554, Article 27)

Article 27 sits inside DORA’s Threat-Led Penetration Testing (TLPT) regime and narrows your choices: you cannot run TLPT with “any” penetration testing firm or internal team by default. You need a controlled process to confirm your testers meet DORA’s conditions, and you need to show that confirmation to supervisors on request. (Regulation (EU) 2022/2554, Article 27)

For a CCO or GRC lead, the operational challenge is predictable: security teams want speed, procurement wants standard third-party onboarding, and legal wants defensible contracting. Article 27 forces alignment. If the tester selection is weak, the entire TLPT exercise becomes contestable, and you risk a supervisory finding even if the technical test work is strong. (Regulation (EU) 2022/2554, Article 27)

This page gives you requirement-level implementation guidance you can put into motion immediately: who this applies to, what controls to stand up, what artifacts to keep, common audit questions, and a practical execution plan. It is written to help you operationalize the article 27: requirements for testers for the carrying out of tlpt requirement with minimal ambiguity. (Regulation (EU) 2022/2554, Article 27)

Regulatory text

Excerpt (provided): “1. Financial entities shall only use testers for the carrying out of TLPT, that:” (Regulation (EU) 2022/2554, Article 27)

Operator interpretation of the excerpt: Article 27 creates a restriction: TLPT can only be carried out by testers that meet the conditions set out in Article 27, so your first compliance task is building a selection and approval mechanism that prevents non-qualifying testers from being engaged. Treat it as a gating control: no qualification, no TLPT. (Regulation (EU) 2022/2554, Article 27)

What you must be able to show: that you (1) defined what “qualifying testers” means for your institution based on Article 27, (2) applied that definition consistently in selection, and (3) maintained governance and controls so the tester remained appropriate throughout the TLPT engagement (access, independence, confidentiality, and oversight). (Regulation (EU) 2022/2554, Article 27)

Plain-English requirement summary

You must hire or appoint TLPT testers only after you have verified they are eligible under DORA Article 27, and you must retain proof of that verification. Operationally, this becomes a short list of approved TLPT tester firms (and, if applicable, approved individuals), with a documented basis for approval and controls that prevent conflicts of interest or unsafe access during testing. (Regulation (EU) 2022/2554, Article 27)

Who it applies to

In-scope entities

• Financial entities subject to DORA that are required to perform TLPT or that choose to conduct TLPT under the DORA framework. (Regulation (EU) 2022/2554, Article 27)
• Teams inside those entities that participate in TLPT sourcing and delivery: CISO/SOC, ICT risk, enterprise risk, compliance, legal, procurement/third-party risk management (TPRM), and the business owner of the scoped critical functions. (Regulation (EU) 2022/2554, Article 27)

In-scope operational context

• Any engagement where a third party (or an internal team, if permitted in your approach) performs threat-led penetration testing activities that you treat as TLPT under DORA. The requirement attaches to the tester selection decision and continues through contracting and execution oversight. (Regulation (EU) 2022/2554, Article 27)

What you actually need to do (step-by-step)

Use this as a build sheet for your control design. Keep it simple and auditable.

1) Define “qualifying TLPT tester” as an internal standard

• Create a TLPT Tester Eligibility Standard that translates Article 27 into your internal requirements language, with pass/fail criteria and required evidence per criterion. (Regulation (EU) 2022/2554, Article 27)
• Assign a single accountable owner (often ICT risk or GRC) and require sign-off from security and compliance for the standard’s approval and updates. (Regulation (EU) 2022/2554, Article 27)

Practical tip: Write the standard as a checklist table so procurement and security can execute it without interpretation drift.

2) Build a tester due diligence workflow (hard gate)

• Add a procurement gate: no purchase order, MSA, or statement of work (SOW) until the tester passes the eligibility checklist and is recorded as approved for TLPT. (Regulation (EU) 2022/2554, Article 27)
• Route approvals through a documented workflow: requester → security review → ICT risk/GRC review → legal review → final approval authority. (Regulation (EU) 2022/2554, Article 27)

Where Daydream fits naturally: Daydream can hold the requirement-to-control mapping, assign owners, and maintain the evidence register so the “gate” is measurable and repeatable across testing cycles.

3) Assess competence and capability (documented, not assumed)

• Require evidence of the tester’s competence relevant to TLPT scope (examples: qualifications, prior engagement summaries, methodology documentation, staff vetting approach). Keep it documentary and specific to the services being purchased. (Regulation (EU) 2022/2554, Article 27)
• Confirm the tester can operate safely in your environment: secure handling of findings, secure communications, controlled tooling, and documented escalation paths. (Regulation (EU) 2022/2554, Article 27)

4) Validate independence and manage conflicts of interest

• Collect conflict-of-interest disclosures from the tester firm and key assigned personnel. (Regulation (EU) 2022/2554, Article 27)
• Implement internal controls to prevent inappropriate influence over test outcomes (example: prevent the system owner being the sole approver of scope reductions or severity downgrades). (Regulation (EU) 2022/2554, Article 27)

Common hangup: Teams treat independence as a one-time legal clause. Examiners often want to see operational controls that back it up (approval segregation, change control for scope, and documented governance).

5) Contract for TLPT-specific controls (not just generic pentest terms)

Your MSA/SOW should reflect TLPT realities:

• Confidentiality and strict data handling requirements for logs, evidence, exploit artifacts, and reports. (Regulation (EU) 2022/2554, Article 27)
• Access controls: named testers, background checks/vetting requirements if you impose them, jump hosts, MFA, logging, time-bound access, and return/revocation procedures. (Regulation (EU) 2022/2554, Article 27)
• Reporting expectations: deliverables, severity model, evidence standards, and required management readout. (Regulation (EU) 2022/2554, Article 27)
• Retention and destruction: what gets retained, where, and for how long (align with your internal retention schedule). (Regulation (EU) 2022/2554, Article 27)

6) Run the TLPT engagement with documented oversight

• Establish a TLPT governance cadence: kickoff, weekly checkpoint, and closure review; document minutes and decisions. (Regulation (EU) 2022/2554, Article 27)
• Track scope changes and approvals in a change log with named approvers and rationale. (Regulation (EU) 2022/2554, Article 27)
• Ensure the tester follows agreed rules of engagement, including safety constraints for production systems. (Regulation (EU) 2022/2554, Article 27)

7) Remediate and validate fixes (supervisor-ready evidence)

• Convert findings into tracked remediation items with owners, due dates, and validation steps. (Regulation (EU) 2022/2554, Article 27)
• Require re-testing or verification evidence for critical fixes (screenshots, configuration exports, test results) and close-out signoff. (Regulation (EU) 2022/2554, Article 27)

8) Maintain an “approved TLPT testers” register

• Keep a register of approved testers, their qualification status, evidence location, last review date, and engagement history. (Regulation (EU) 2022/2554, Article 27)
• Reassess when there is a material change: acquisition, key staff changes, new subcontractors, or major methodology shift. (Regulation (EU) 2022/2554, Article 27)

Required evidence and artifacts to retain

Store these in one place (GRC tool or controlled repository) and link them to each TLPT engagement:

Eligibility & selection

• TLPT Tester Eligibility Standard (current version) and approvals. (Regulation (EU) 2022/2554, Article 27)
• Completed tester eligibility checklist ¹. (Regulation (EU) 2022/2554, Article 27)
• Selection memo: why this tester was chosen over alternatives (capability and independence rationale). (Regulation (EU) 2022/2554, Article 27)

Independence & conflicts

• Conflict-of-interest forms and attestations for firm and assigned staff. (Regulation (EU) 2022/2554, Article 27)
• Internal segregation-of-duties notes (who approved scope, who accepted risk, who validated remediation). (Regulation (EU) 2022/2554, Article 27)

Contracting & oversight

• Executed MSA/SOW and rules of engagement. (Regulation (EU) 2022/2554, Article 27)
• Access approvals, provisioning tickets, and access revocation evidence. (Regulation (EU) 2022/2554, Article 27)
• Meeting minutes, decision logs, and scope change log. (Regulation (EU) 2022/2554, Article 27)

Results & remediation

• Final TLPT report and management presentation. (Regulation (EU) 2022/2554, Article 27)
• Remediation tracker with validation evidence and closure approvals. (Regulation (EU) 2022/2554, Article 27)

Common exam/audit questions and hangups

Expect reviewers to test whether Article 27 is a real gate or a paper statement:

1. “Show me how you determined this tester was eligible under Article 27.” Provide the completed checklist and the evidence pack. (Regulation (EU) 2022/2554, Article 27)
2. “Who can approve a TLPT tester, and where is that documented?” Provide your RACI and workflow approvals. (Regulation (EU) 2022/2554, Article 27)
3. “How do you manage conflicts of interest?” Show attestations plus operational controls (approval segregation, scope change governance). (Regulation (EU) 2022/2554, Article 27)
4. “How do you control tester access to sensitive environments?” Show the access model, logs, and timely revocation. (Regulation (EU) 2022/2554, Article 27)
5. “How do you ensure findings lead to risk reduction?” Show remediation closure discipline and validation artifacts. (Regulation (EU) 2022/2554, Article 27)

Frequent implementation mistakes (and how to avoid them)

• Mistake: treating TLPT testers like generic pentest vendors. Fix: require TLPT-specific contracting, governance, and independence documentation. (Regulation (EU) 2022/2554, Article 27)
• Mistake: eligibility evidence scattered across procurement, security, and email. Fix: a single “tester evidence pack” with an index and owner. Daydream’s register pattern works well here because it ties the requirement to the exact artifacts you must produce. (Regulation (EU) 2022/2554, Article 27)
• Mistake: scope and severity decisions made informally. Fix: enforce a change log and documented approvals; keep meeting minutes. (Regulation (EU) 2022/2554, Article 27)
• Mistake: no proof of access revocation. Fix: build revocation into the engagement closure checklist and require tickets/logs as closure criteria. (Regulation (EU) 2022/2554, Article 27)
• Mistake: remediation closes on “status updates” rather than validation. Fix: define validation evidence types up front and require security signoff to close. (Regulation (EU) 2022/2554, Article 27)

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog, so this guidance focuses on supervisory defensibility and operational risk. Your main risk is a supervisory finding that your TLPT is non-compliant because the tester was not properly qualified or independence was not controlled. That can force retesting, delay remediation, and create governance findings that spill into broader ICT risk management reviews. (Regulation (EU) 2022/2554, Article 27)

A practical 30/60/90-day execution plan

Exact timing depends on procurement cycles and existing TPRM maturity, so treat this as phased execution.

First 30 days (Immediate)

• Draft and approve the TLPT Tester Eligibility Standard and checklist mapped to Article 27. (Regulation (EU) 2022/2554, Article 27)
• Stand up the approval workflow (intake form, required attachments, signoffs). (Regulation (EU) 2022/2554, Article 27)
• Create the evidence pack index (folder structure + artifact list) and name an owner. (Regulation (EU) 2022/2554, Article 27)

Days 31–60 (Near-term)

• Update TLPT contracting templates (MSA/SOW + rules of engagement + conflict disclosures). (Regulation (EU) 2022/2554, Article 27)
• Build an approved TLPT testers register and qualify your current or preferred testers against it. (Regulation (EU) 2022/2554, Article 27)
• Run a tabletop readiness drill: “If the supervisor asks tomorrow, can we produce the full tester qualification pack quickly?” (Regulation (EU) 2022/2554, Article 27)

Days 61–90 (Operationalize)

• Pilot the process on a real TLPT or pre-TLPT engagement and capture lessons learned. (Regulation (EU) 2022/2554, Article 27)
• Add operational controls: scope change control, access provisioning/revocation checklist, and remediation validation requirements. (Regulation (EU) 2022/2554, Article 27)
• Publish metrics that matter internally (not vanity): percent of TLPT engagements with complete tester evidence packs and timely remediation validation. Avoid numeric targets unless your governance sets them explicitly. (Regulation (EU) 2022/2554, Article 27)

Frequently Asked Questions

Do we have to use an external third party tester for TLPT under Article 27?

Article 27 requires that you only use testers that meet the Article 27 conditions; it does not, from the excerpt provided here, specify internal vs external. Confirm your approach against the full DORA text and your competent authority expectations. (Regulation (EU) 2022/2554, Article 27)

Can we reuse our existing penetration testing vendor as a TLPT tester?

Yes, if you can document that the vendor meets the Article 27 tester requirements and you have TLPT-appropriate independence, access, and governance controls in place. Do not assume prior pentest work equals TLPT eligibility. (Regulation (EU) 2022/2554, Article 27)

What is the minimum evidence we should keep to prove compliance?

Keep the eligibility checklist with supporting documents, conflict-of-interest attestations, executed contract/SOW and rules of engagement, and oversight records (scope changes, access approvals, closure). Package it so you can produce it without email archaeology. (Regulation (EU) 2022/2554, Article 27)

Who should “own” Article 27 compliance: security, procurement, or compliance?

Security should own technical evaluation, procurement should enforce gating, and compliance/ICT risk should own the control design and evidence integrity. Assign a single accountable owner and document the RACI so decisions do not drift. (Regulation (EU) 2022/2554, Article 27)

How do we handle subcontractors used by the TLPT tester?

Treat subcontractors as part of the tester delivery chain and require disclosure, approval, and eligibility evidence for them as well. Reflect this in the SOW and access controls so only approved individuals perform testing. (Regulation (EU) 2022/2554, Article 27)

What’s the fastest way to get “supervisor-ready” for this requirement?

Create one register that maps Article 27 to owners, controls, and evidence artifacts, then run a readiness drill to prove you can produce the tester qualification pack quickly. Tools like Daydream help by keeping the mapping and artifacts in a single system of record. (Regulation (EU) 2022/2554, Article 27)

Footnotes

1. Regulation (EU) 2022/2554, Article 27