DORA TLPT Guidance Update

Today the EU provided the long awaited updated guidance in relation to DORA’s TLPT: DORA TLPT Guidance Update

This 30 page document further clarifies the necessity for Threat-Led Penetration Tests (TLPTs) under DORA.

We will be posting a more in-depth post about this in the very near future, but the key points that should be taken away are:

Who can Invoke a TLPT?

DORA’s TLPT requirements mirrors the TIBER-EU methodologies, process and structures – they will use the same structure for overseeing DORA TLPT’s as TIBER-EU engagements and will be overseen by either EU or national level authorities. The authorities are defined as those who are the single designated public authority for the financial sector; or an authority in the financial sector who has been authorised and delegated to manage TLPTs; or any competent authorities referred to in Article 46 of Regulation (EU) 2022/2554.

Who is in scope for a TLPT?

It will be down to the national or EU wide authorities to determine who will be in scope for a TLPT test; however the guidance is clear that it should be restricted to entities for which it is justified. This can include financial entities that operate in core financial services subsectors, as long as a TLPT cannot be justified for them.

Ultimately this means it will be down to the regulator’s discretion as to whether or not a TLPT should apply for any financial organisation and will be taken on a case-by-case basis. This will be based on the overall assessment of an organisation’s ICT (Information and Communications Technology) risk profile and maturity, the impact on the financial sector and of related financial stability concerns which must meet qualitative criteria. 

In Article 2 of the update the specific requirements for the identification of financial entities required to perform TLPTs are defined. Essentially the authorities will consider the following factors:

  • The size of the entity
  • The extent and nature of the financial entities connections with other entities in the financial sector of one or more EU member states.
  • The criticality or importance of the services the entity provides to the financial sector
  • The substitutability of services the entity provides
  • The complexity of the entity’s business model
  • The entity’s role in a wider enterprise with shared ICT systems

The authorities will also consider the following ICT risk-related factors:

  • The entity’s risk profile
  • The threat landscape for the entity
  • The degree of dependence their critical/important/supporting functions have from ICT systems
  • The complexity of the entity’s ICT architecture
  • The entity’s ICT services which are supported by third parties (including the quantity and contractual arrangements for third party and intra-group service providers)
  • The outcomes of any supervisory reviews relevant for assessment of the ICT maturity of the entity
  • The maturity of ICT business continuity plans and the ICT response and recovery plans
  • The maturity of ICT detection and mitigation controls
  • And whether the entity is part of group that is active in the financial sector of the EU that shares ICT systems.

The expectation is that that TLPT will be required for entities such as:

credit institutions, payment and electronic money institutions, central security depositories, central counterparties, trading venues, insurance and reinsurance undertakings. The definitions for these types of entities is included in the update and many will be related to their definition in other EU articles (all referenced), or in relation to total payment transactional amounts within a 2 year calendar period, or for entities which provide undertakings for gross written premiums (GWPs) or technical provisions above specified levels. It should be noted however that these same entities could be excused from a TLPT if the authority agrees it is inappropriate.

The authority is also required to consider points such as market share positions, and the range of activities the financial entity provides when making this assessment.

Furthermore, that criteria must also be applied and assessed in light of new markets as they enter the financial sector, such as crypto asset service providers authorised under  Article 59 of Regulation (EU) 2023/1114 of the European Parliament and of the Council.

Shared ICT Service Providers

The guidance also touches on financial entities that have the same ICT service provider. In those cases it will be down to the regulator as to whether a shared or entity level assessment is conducted, if a TLPT is deemed necessary.

If a TLPT is deemed as required by the authority, then the financial entity will be contacted and clearly presented with the authority’s expectation with regards to testing.

This regulation update will come into force 20 days after its publication (8th July 2025), so after this date is when entities could be contacted by letter from authorities notifying them of the requirement to conduct a TLPT test.

Additional Notes

Much of the rest of the regulation update covers the delivery of a TLPT in regards to roles, responsibilities, and expectations for TLPT providers (both Threat Intelligence and Red Team/Penetration testers). It also covers the basic expectations for financial entities being tested with regards to secrecy, procurement and scoping of the TLPT engagements. We will touch on those topics in more detail in a later blog post.

Prism Infosec Appoints Andrew Turner as Chief Commercial Officer 

Cybersecurity consultancy Prism Infosec, with offices in Cheltenham and Liverpool, is pleased to announce the appointment of Andrew Turner as its new Chief Commercial Officer (CCO)

Andrew brings a wealth of experience in cybersecurity and commercial leadership. He holds a degree in Computer Information Systems Design from Kingston University and most recently served as Vice President of Sales, EMEA at VikingCloud. Prior to that, he held senior commercial roles at leading cybersecurity consultancies including F-Secure and Context Information Security, where he was instrumental in driving growth and expanding market presence. 

“The opportunity to join a business like Prism, with its outstanding technical capabilities and prestigious client base, presents a fantastic platform for growth,” said Andrew. “I’m excited to work alongside the team to develop new service offerings, strengthen existing client relationships, and expand into new verticals where our specialist approach can deliver real value.” 

In his role as CCO, Andrew will lead the development of Prism Infosec’s commercial strategy, focusing on scaling the business and deepening its footprint within the FTSE 250 and other key markets. His appointment marks a significant step in the company’s growth journey. 

“We’re thrilled to welcome Andrew to the leadership team,” said Phil Robinson, CEO at Prism Infosec. “He brings a deep passion for cybersecurity, along with a proven track record of building high-performing teams, delivering commercial value, and consistently exceeding client expectations. Andrew’s experience in scaling businesses will be instrumental as Prism Infosec continues to grow. His strategic insight and commercial acumen have helped organisations expand into new markets, strengthen client relationships, and drive sustainable revenue growth.”

Recent Breach News

Marks & Spencer and the Co-Op have suffered a brutal breach in the recent few weeks, the full scale of which is still unknown. 

It should be clear that whilst the attack has been attributed to SCATTERED SPIDER, a group made infamous for their breach of the MGM casinos in Las Vegas in September 2023[1], a lot of speculation has been made about the exact attack methodology they used to gain a foothold in, and ultimately compromise Marks & Spencer, but no real information has been shared about the exact methodology to date. In the past, this group have been known to use several social engineering tactics to trick helpdesks, or to use sim swapping to compromise MFA, but it is not yet known what they did in this case.

What is known is that the breach has resulted in significant share price drops, loss of earnings from online ordering systems (with some estimates placing this at up to £3.5m per day[2]), and tertiary impacts to third parties Marks & Spencer do business with. Anonymised media report suggest that Marks and Spencer’s incident response plan was inadequate for the extent of the breach they have suffered, and indications are that customer information may have been compromised in the breach. The full cost of the breach is yet to be fully assessed, but recent media reports suggest the insurance claim could come in at £100 million[3]

Neither Marks & Spencer or the Co-Op were thought to be overly lax in their cybersecurity however, securing an enterprise the size of these organisations, with the number of staff they employ and contract with, the complexity of their supply chains, is exceptionally challenging.

Whilst it is far too early to conduct a root cause analysis of the breach and a lessons learned exercise, all organisations should sit-up and take note. They should be asking themselves when they were last properly assessed with a simulated threat actor attack (a red team), or even when they last fully exercised their incident response playbooks (not just a tabletop) for an attack of this magnitude but invoking it and testing disaster recovery.

Prism Infosec understands these challenges and complexities, and we can help, not just test your plans but also help clients improve them and support them in the event of a breach.


[1] MGM cyber attack: How a phone call may have led to the ongoing hack | Vox

[2] Empty shelves at M&S as store faces losses of ‘millions each day’ in wake of cyber attack | ITV News

[3] Financial Times – M&S Insurance Claim article

The Cyber Security and Resilience Bill – April 2025

In the King’s Speech it was announced that further details would follow about the CSR Bill, and it looks like we now have the confirmed and proposed measures:

Cyber Security and Resilience Bill: policy statement – GOV.UK

These have been proposed by both MPs and the Department for Science, Innovation and Technology (DSIT) and backed by the NCSC:

Cyber Security and Resilience Policy Statement to… – NCSC.GOV.UK

The bill looks to enhance the Network and Information Systems (NIS) 2018 Regulations:

The NIS Regulations 2018 – GOV.UK

Which was aimed at providing legal measures for improving the security (both physical and cyber) of IT systems for the provision of digital and essential services (online marketplaces, online search engines, cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services). Twelve regulators were identified as responsible for enforcing those regulations.

The major policy proposals and changes being introduced with the CSR not only increase the number of entities covered by NIS 2018, but also enhances the powers of these regulators, whilst aligning the UK, where appropriate with the approach taken in the EU’s NIS 2 directive:

Directive – 2022/2555 – EN – EUR-Lex

Understanding the Proposed UK Cyber Security Policy Changes

The UK government has laid out potential changes to its cyber security policy, aiming to bolster the nation’s resilience against evolving digital threats. These proposals encompass a range of measures designed to broaden the scope of regulation, strengthen supply chain security, and empower regulatory bodies. Here’s a breakdown of the key elements under consideration:

Expanding the Regulatory Framework

A significant aspect of the proposed changes involves bringing more entities under the umbrella of cyber security regulations.

  • Bringing More Entities into Scope: The policy seeks to extend its reach to organizations that play a crucial role in the digital ecosystem.
  • Managed Service Providers (MSPs) to be Regulated: Recognizing the critical access MSPs have to client IT systems and their potential vulnerability to cyber-attacks, they will now be subject to regulation.
    • Definition of MSPs: The policy defines MSPs as entities that:
      • Provide IT-related services to external organizations (not in-house).
      • Deliver services reliant on network and information systems.
      • Offer ongoing management, administration, or monitoring of IT infrastructure, networks, and cyber security activities.
      • Include network access or connection to a customer’s systems.
    • Regulatory Alignment: MSPs will be required to adhere to the same duties as digital service providers (RDSPs), with the Information Commissioner’s Office (ICO) acting as their regulator.

Strengthening Supply Chain Security

The proposals also place a strong emphasis on securing the digital supply chain.

  • New Duties for OES and RDSPs: Operators of essential services (OES) and RDSPs will face new obligations to actively manage cyber risks within their supply chains.
  • Designation of ‘Critical Suppliers’ (DCS): Regulators may designate certain suppliers as ‘Critical Suppliers’ (DCS), even if they are small firms, if a disruption to their services could significantly impact essential or digital services.
    • Criteria for DCS Designation (Proposed, Not Yet Agreed): A supplier could be classified as a DCS if:
      • It provides goods or services to OES or RDSPs.
      • Disruption to its services would have a significant effect on the delivery of essential or digital services.
      • Its operations depend on network and information systems.
      • It is not already subject to similar cyber security regulations.
    • Obligations for DCSs: Once designated, DCSs will be subject to the same security and reporting requirements as OES and RDSPs.

Empowering Regulators & Enhancing Oversight

The proposed policy aims to equip regulatory bodies with greater authority and tools to effectively oversee cyber security practices.

  • Technical and Methodological Security Requirements: It is proposed that security requirements will be aligned with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). Additionally, the Secretary of State may issue sector-specific codes of practice to tailor standards.
  • Improving Incident Reporting: The scope of reportable incidents will be broadened to include those impacting data confidentiality, integrity, and availability. Furthermore, a two-stage reporting process is being introduced:
    • An initial notification within 24 hours.
    • A comprehensive report within 72 hours.
    • Reporting will be mandatory to both the relevant regulator and the NCSC.
    • Firms will also be obligated to alert affected customers following significant incidents.
  • Strengthening ICO’s Information Powers: The ICO will be granted enhanced powers to proactively gather information, enforce registration requirements, and new channels will be established for other bodies to share threat intelligence with the ICO.
  • Improving Cost Recovery for Regulators: The proposed bill seeks to allow regulators to set fees, publish their charging principles, and consult with the industry. This aims to address cash flow issues and alleviate cost burdens on taxpayers.

Keeping Pace with Emerging Threats

The policy acknowledges the dynamic nature of cyber threats and the need for adaptability.

  • Delegated Powers: The Secretary of State will be granted the authority to update regulations through secondary legislation, following consultation. This is intended to enable swift responses to evolving threats and technological advancements.

Additional Measures Under Consideration

Beyond the core elements, the proposed bill also includes additional measures that may be incorporated later, depending on legislative opportunities:

  • Regulating Data Centres: Data centres with a capacity of ≥1MW (or ≥10MW for enterprise-only use) could be recognized as Critical National Infrastructure (CNI) in 2024 and brought under regulation. This is estimated to affect approximately 182 data centres and 64 operators.
  • Statement of Strategic Priorities: The Secretary of State could publish a statement outlining strategic priorities for regulators every 3–5 years. This aims to ensure a consistent national cyber security strategy across different sectors and regulatory bodies.
  • Powers of Direction (National Security): The bill might be expanded to grant the Secretary of State the power to:
    • Direct entities to take specific actions against particular cyber threats.
    • Instruct regulators to tighten sector-specific guidance.
    • It is anticipated that these powers would only be invoked when necessary and proportionate to address national security concerns.

These proposed policy changes represent a significant step towards strengthening the UK’s cyber resilience in an increasingly complex digital landscape. Businesses and organizations across various sectors should pay close attention to the development and implementation of this legislation.

Roles & Responsibilities

As can be seen above, the bill will affect several entities, we have tried to summarise this into the following table:

Entity TypeDefinition / CharacteristicsRole & Obligations
Managed Service Providers (MSPs)– Provide services to other organisations (not in-house)
– Rely on network/information systems
– Involve ongoing IT system management or monitoring
– Have network access
– Newly regulated
– Same duties as RDSPs
– Must follow cyber security and incident reporting requirements
Relevant Digital Service Providers (RDSPs)– Digital services like online marketplaces, search engines, cloud providers– Already regulated under NIS 2018
– Subject to enhanced incident reporting and transparency duties
Small & Micro RDSPs– Smaller digital service providers currently exempt– May be regulated if designated as a Critical Supplier
Operators of Essential Services (OES)– Organisations providing essential national services– Existing regulation under NIS
– Will have new duties to manage supply chain risk
Designated Critical Suppliers (DCS)– Supplier to OES or RDSP
– Disruption could significantly affect service
– Relies on IT/network systems
– Not regulated elsewhere
– Will be brought under regulation
– Must meet security and incident reporting standards
Data Centres (Proposed)– Facilities hosting data infrastructure
– Thresholds: ≥1MW capacity (general), ≥10MW (enterprise)
– Expected to be included
– Duties include registration, risk management, and incident reporting
Regulators– ICO and sector-specific bodies– Enforce the regulations
Gain stronger powers for oversight, cost recovery, and cyber threat monitoring

Summing Up

Ultimately, the impact of the CSR will be wide-ranging. It will seek to provide stronger protection of critical services, enhance supply chain security, improve regulatory oversight and capabilities, improve incident response, provide regulator flexibility and some futureproofing, and improve national security and government readiness. The cost for businesses which have not previously fallen under these requirements, both in meeting these new obligations and in complying with them, will be high. However, when compared to the cost of a breach and disruption to these services, not just to the organisation but to the wider supply chain and country will be significantly higher.

Prism Infosec’s cybersecurity services, already work with several regulated industries and regulators, if you would like to discuss this with us, please feel free to reach out.