For most post-production facilities, TPN starts as a question from a client. A new brief arrives from a streamer or studio, and somewhere in the onboarding paperwork is a line about Trusted Partner Network accreditation. Some facilities know exactly what that means. Many don't, and the ones that don't often find themselves scrambling to understand a compliance framework that their competitors have been building toward for years.

This article explains what TPN actually is, which content owners require it, what the assessment process involves, and what facilities need to have in place before they go through it. If a client has asked about your TPN status and you're not sure where to start, this is the right place.

We’ll discuss: 

• What is the Trusted Partner Network, and why is the industry talking about it?
• Which studios and streamers require TPN, and what happens if you're not accredited?
• What does a TPN assessment actually look at in a post-production facility?
• What IT and security controls do you need in place before an assessment?
• How long does TPN accreditation take, and what does it cost?
• What happens after a TPN assessment, and how do you maintain your status?
• Is TPN accreditation worth it for smaller post-production facilities?

Let’s start at the beginning.

What is the Trusted Partner Network, and why is the industry talking about it?

The Trusted Partner Network (TPN) is a global content security programme operated by the Motion Picture Association (MPA). Its purpose is to reduce the risk of content leaks, piracy, and unauthorised access across the film and television supply chain, from production through post-production and distribution.

TPN was established in response to a straightforward problem: studios were sending pre-release content to dozens of vendors, post houses, VFX facilities, dubbing studios, and localisation providers, each of which had its own approach to security, assessed independently and inconsistently. For a broader picture of the security challenges this creates across the sector, our article on securing post-production data covers the fundamentals in detail. The result was a fragmented, expensive, and unreliable picture of who could actually be trusted with unreleased material.

TPN addresses this by providing a standardised security framework, the MPA Content Security Best Practices, against which facilities can be formally assessed. Assessments are conducted by independent third-party assessors, and results are recorded on the TPN+ platform, which content owners use to verify the security status of their vendors.

Members currently span more than 60 countries. Endorsing organisations include Netflix, Disney, Amazon Studios, WarnerBros Discovery, NBCUniversal, Paramount, BBC Studios, and Pixar, among others. TPN is not a niche or emerging standard… It’s rapidly becoming the baseline expectation for any facility handling premium pre-release content.

Which studios and streamers require TPN, and what happens if you're not accredited?

This is the question that tends to focus minds. TPN membership and assessment are increasingly a prerequisite for working with major commissioners, not a differentiator.

Netflix, Disney, Apple TV+, Amazon, and WarnerBros Discovery have all aligned their vendor onboarding processes with TPN. For facilities seeking to work on content for these platforms, or to be considered for future projects, TPN status is part of the commercial conversation, not a box to tick afterwards.

The practical consequence of not being TPN-assessed varies by studio and project type. Some studios will not engage a facility without a verified TPN status at all. Others will proceed while noting the gap, with the expectation that assessment is underway. In competitive tender situations, TPN status is increasingly a differentiating factor that influences which facilities make the shortlist.

There is also a less visible but equally real dynamic: as more facilities achieve TPN accreditation, those without it become increasingly conspicuous. For a wider view of how the industry is evolving, our piece, UK post-production trends outlines the broader shifts shaping how facilities operate and compete. 

What does a TPN assessment actually look at in a post-production facility?

TPN assessments are conducted against the MPA Content Security Best Practices, which cover both physical and digital security across a facility's operations. The framework is comprehensive and covers more than most facilities initially expect.

The assessment is divided into two broad areas: site security (for physical facilities) and cloud and application security (for cloud-based workflows and software providers). Facilities handling content in a physical environment will typically undergo a site assessment. Those operating cloud-based post-production workflows, remote editing platforms, cloud render pipelines, and software tools will undergo a cloud assessment. Many modern facilities require both.

Key areas assessed include:

• Physical security: access controls to the facility, visitor management, surveillance systems, secure screening and review environments, and procedures for handling physical media (drives, tapes, screening copies).
• Network and infrastructure security: network segmentation, firewall configuration, intrusion detection, patch management, and the separation of production networks from general office infrastructure.
• Endpoint and device security: workstation configuration, encryption, mobile device management, and the controls applied to devices that access pre-release content.
• Access management, user authentication, role-based access controls, privileged access management, and the processes for onboarding and offboarding staff and contractors. Multi-factor authentication in particular, is a baseline expectation; our article, two factors are better than one explains why it matters and how to implement it effectively.
• Data handling and transfer: how content is ingested, stored, transferred, and deleted. This includes the use of secure file transfer protocols, watermarking, and the management of deliverables.
• Incident response: whether the facility has a documented and tested plan for responding to a security incident, including how it would notify a content owner of a breach.
• Remote and work-from-home workflows, since the expansion of remote working, TPN assessments have increasingly focused on how facilities secure content access outside the physical facility environment. This includes VPN configuration, endpoint controls for remote workstations, and access to cloud-based editorial platforms. Helping employees stay secure in the remote Era covers the practical steps facilities should have in place.
• The MPA Best Practices document, currently at version 5.3.1, is publicly available on the TPN website and is the definitive reference for what an assessment covers.

What IT and security controls do you need in place before an assessment?

This is where many facilities discover that TPN preparation is less about paperwork and more about infrastructure. A gap analysis against the MPA Best Practices, which TPN makes available as a free resource on the TPN+ platform, typically reveals a mix of straightforward documentation gaps and more substantive technical issues.

Let’s tackle common areas where facilities find themselves underprepared.

Network segmentation

Production networks, carrying pre-release content, should be physically or logically separated from general office networks, guest Wi-Fi, and internet-facing systems. Many smaller facilities have never formally segmented their networks. This is one of the more technically involved items to address.

Patch management

All systems handling content should be running current, supported operating systems and software, with a documented process for applying security updates. Facilities running legacy editing systems on unsupported OS versions, not uncommon in post production, where software stability is prioritised, need a plan for managing this.

Access controls and user management

Role-based access to content systems, multi-factor authentication for remote access, and documented processes for removing access when staff leave. These are often informally managed in smaller facilities and need to be formalised for assessment.

Incident response documentation

Having a written incident response plan is a specific requirement. It doesn't need to be exhaustive, but it does need to exist, be current, and reflect how the facility would actually respond to a breach. Airgapped vs Immutable Backups is worth reading alongside this: your backup strategy is a core component of any credible incident response plan.

Watermarking capabilities

For facilities handling high-value pre-release content, the ability to apply both visible and forensic watermarks to screeners and review copies is increasingly expected. Forensic watermarking in particular, which embeds invisible, traceable identifiers into content, is becoming a baseline requirement for premium content workflows.

Remote access security

If any member of the team accesses production systems remotely, the controls applied to that access, VPN configuration, endpoint management, and session controls will be assessed. Informal remote access arrangements that have not been formally reviewed are a common finding.

Investing in these controls before an assessment is not just about passing. Facilities that approach TPN as an opportunity to genuinely improve their security posture, rather than as a compliance exercise, typically find that the process identifies vulnerabilities they weren't aware of and wouldn't have found any other way.

How long does TPN accreditation take, and what does it cost?

The timeline from decision to assessed status varies considerably depending on the current state of a facility's security posture. For a facility with reasonably mature IT and security practices, a gap analysis, remediation, and assessment can be completed in three to six months. For facilities starting from a lower baseline, twelve months is a more realistic expectation.

The process involves several distinct stages:

• Gap analysis
• Remediation planning and implementation
• Pre-assessment preparation
• The formal assessment itself 
• Any remediation of findings identified during the assessment.

TPN membership fees are structured by annual gross revenue and range from $250 for self-employed practitioners to $85,000 for organisations with revenue over $200 million. The mid-range tiers, relevant for most established post houses, sit between $3,000 and $15,000 annually. Membership fees do not include the cost of the third-party assessment itself, which is commissioned separately from an approved TPN assessor.

Assessment costs vary by assessor and scope but typically range from £5,000 to £20,000 for a site assessment, depending on facility size and complexity. Cloud assessments carry their own cost structure.

The total investment, membership, assessment, and remediation should be understood as a multi-year commitment rather than a one-time cost. TPN status requires ongoing maintenance, with reassessment required periodically and continuous monitoring of the controls in place.

What happens after a TPN assessment, and how do you maintain your status?

Passing a TPN assessment results in a verified security status on the TPN+ platform, which content owners can access to confirm a facility's compliance posture. This is the mechanism by which TPN status becomes commercially visible; studios and streamers can check the platform directly rather than conducting their own vendor security reviews.

Assessment results are not binary pass or fail. Facilities receive a report identifying findings across different severity levels, critical, high, medium, and low, with required remediation timelines for each. Critical and high findings typically need to be addressed before a facility can be listed as assessed on the platform. Medium and low findings are documented and tracked.

Maintaining TPN status requires ongoing attention to the controls assessed. 

Key maintenance activities include:

• Keeping all systems patched and current
• Reviewing and updating access controls as staff change
• Ensuring incident response documentation remains current
• Monitoring for new guidance from TPN as the MPA Best Practices are updated
• Preparing for reassessment, which TPN currently requires on an annual cycle

The TPN+ platform provides a centralised space for managing this ongoing relationship, facilities can update their security status, share documentation with content owner clients, and access TPN's security resources and community.

Is TPN accreditation worth it for smaller post-production facilities?

This is the question most independent post houses and boutique facilities ask, and it deserves a direct answer.

If a facility's growth strategy includes working with major streamers or studios, even occasionally, TPN status is becoming a prerequisite rather than an advantage. Facilities that have built TPN into their operations are finding that it opens conversations that weren't previously available to them.

The internal case is also real, even for facilities that don't immediately need TPN for client reasons. The process of going through a gap analysis and assessment against the MPA Best Practices typically identifies vulnerabilities that were previously invisible, network configurations that create risk, access controls that haven't been reviewed in years, and remote working arrangements that were never properly secured. Addressing those issues has value independent of the commercial outcome.

For the smallest facilities, sole traders and micro studios, the framework is still available as a reference. TPN offers free access to security gap analysis tools and best practice materials on the TPN+ platform, which can inform a security improvement programme even without pursuing a formal assessment.

The facilities that tend to get the most value from TPN are those that treat it as a security improvement programme that happens to result in an accreditation, rather than a compliance box to tick on the way to winning a contract. For a broader look at the IT challenges the sector faces, our article on the biggest IT challenges for TV, film, and video production businesses provides useful context.

If your facility is starting to think about TPN accreditation, the first step is understanding where you currently stand against the MPA Best Practices. At Lyon Tech, we work with film, TV, media and post-production facilities across London on the IT and security infrastructure that underpins TPN compliance, from network segmentation and access management to endpoint controls and remote workflow security.

Get in touch with the team to start the conversation.