July 2025, Zoja Antuchevic, SolutionLab, CEO and CREST EU Council Member

Why You Should Use Accredited Service Providers for TLPT under DORA

This is the second blog in our series on Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA). If you haven’t yet read the first instalment – which introduces TLPT and outlines what financial institutions need to know – you can find it here: https://www.crest-approved.org/threat-led-penetration-testing-tlpt-under-dora-what-financial-institutions-need-to-know/

Given the high stakes of TLPT, DORA explicitly requires financial entities to engage suitable and accredited testers for these exercises. In fact, Article 27 of DORA stipulates that those institutions “shall only use testers” that meet strict criteria, including: having the highest suitability and reputability, possessing proven technical and organisational capabilities in threat intelligence and Red Team testing, and being certified by an accreditation body or adhering to formal codes of conduct. Testers must also provide assurance of sound risk management and carry professional indemnity insurance. In plain terms, this means you can’t just hire a random self-proclaimed hacker for a TLPT – you need to choose a provider that is recognised and vetted by industry or authorities for their quality and integrity.

The importance of using accredited providers comes down to trust and assurance. An accredited TLPT provider has had its personnel, processes, and methodologies validated by an independent body or standard. This assures you (and your regulators) that the provider follows industry best practices for conducting such sensitive tests. For example, an accredited firm will have strict protocols for handling your confidential data, a well-defined testing methodology, experienced staff with certified skills, and adherence to a code of ethics. DORA’s emphasis on accreditation is about reducing the risk that something will go wrong in the test, and ensuring the results can be trusted. As one industry analysis put it, without recognised standards and professional oversight, critical vulnerabilities could easily be overlooked or mishandled by unqualified testers.

By choosing an accredited provider, you gain confidence that the test will be carried out safely, thoroughly, and with proper accountability.

Another angle to consider is that regulators and stakeholders will expect the TLPT to be performed by a reputable firm. In many EU jurisdictions, financial regulators maintain lists of approved testing providers or explicitly require certain accreditations. Using an accredited firm thus helps with regulatory compliance. It demonstrates to regulators that you took due care in vendor selection, as the firm meets formal criteria of competence. In fact, some sectors (like parts of the public sector and banking industry) already require CREST-accredited suppliers or similar for any penetration testing engagements. DORA is creating a similar expectation across the EU financial sector.

In short, engaging an accredited service provider is not just a best practice – it’s fast becoming a regulatory must for TLPT. It’s the concrete way to meet DORA’s tester requirements around suitability, expertise, and ethical conduct.

The Benefits of Using CREST-Accredited Companies for TLPT

When it comes to accreditation in the penetration testing and red teaming world, CREST is one of the most respected names. CREST is an international non-profit accreditation body that certifies cybersecurity firms and professionals to rigorous standards. Many financial institutions choose CREST-accredited providers for conducting TLPTs, and for good reason. Here are some specific benefits of using a CREST-accredited company for your DORA TLPT engagement:

• Proven Expertise and Skill: CREST requires that member companies employ highly skilled testers who have passed rigorous exams and logged thousands of hours of relevant experience. Individuals must progress through tough certification tiers (practitioner, registered, certified) by demonstrating hands-on proficiency and knowledge of the latest threats. This means a CREST-accredited Red Team is staffed by experts who know what they’re doing – exactly what you need for a high-calibre TLPT. In contrast, if you rely on providers without such credentialed staff, you risk the test being done by less-qualified personnel.
• Quality Methodology and Standards: A CREST accreditation is often seen as a “stamp of approval” for the provider’s methodology and processes. CREST-assessed companies must demonstrate they follow industry best practices throughout the engagement lifecycle – from scoping and rules-of-engagement, to testing procedures, to reporting. Their internal processes (including data security and reporting quality) are reviewed to ensure consistency and thoroughness. For a TLPT, which can be complex and lengthy, having a structured, standardised approach is crucial. CREST firms will deliver the test in a controlled and safe manner, adhering to a code of conduct that aligns with ethical red teaming. This gives you confidence that the TLPT won’t devolve into a chaotic or dangerous exercise.
• Professionalism and Ethics: By choosing a CREST company, you are engaging a team that is bound by CREST’s code of ethics and professional conduct. Members are expected to perform work responsibly, confidentially, and with integrity. There’s an inherent commitment to professional standards and ethical behaviour that comes with the accreditation. This is especially important for TLPT, where testers may obtain highly sensitive access during the simulation – you need to trust that they will handle information appropriately and not overstep agreed boundaries. CREST’s oversight and disciplinary processes help enforce that trust.
• Recognition and Accountability: CREST is globally recognised, and its accreditation is respected by regulators and industry bodies. In the context of threat-led testing, CREST was instrumental in standards like CBEST (the Bank of England’s framework) and works with many national authorities. A CREST-accredited provider likely has experience with regulatory programs and understands the compliance reporting aspects of TLPT. Using a CREST firm can thus give regulators assurance that your TLPT was conducted by a qualified professional. Moreover, should any issues arise, accredited firms are accountable to CREST – an extra layer of recourse beyond just your contract with the provider.
• Alignment with Threat Intelligence & Red Teaming Best Practices: Unlike general IT testing certifications, CREST offers specific programs for Intelligence-Led Penetration Testing (the CREST STAR scheme) and Threat Intelligence services. This means CREST-accredited providers are often uniquely equipped for exactly the kind of combined threat intel and Red Team engagement that TLPT requires. Their teams might include CREST-certified threat intelligence analysts as well as Red Team operators, ensuring both sides of the TLPT (intel gathering and attack execution) meet high standards. Certifications like OSCP or GIAC focus mainly on technical penetration skills of individuals, but CREST encompasses the full spectrum of a threat-led exercise, from scenario design to execution to analysis. This comprehensive scope sets CREST-accredited companies apart when it comes to delivering TLPTs.

In essence, a CREST-accredited company brings assurance of quality, methodology, and professionalism to a TLPT engagement. As one 2025 industry guide put it, opting for a CREST provider offers benefits ranging from highly trained experts to improved customer assurance, and even a competitive edge in meeting security expectations. Especially under the scrutiny of DORA, these benefits are invaluable.

The final part of this blog series will be released shortly. So, please keep your eyes on our blog section.