The European Union has published a Delegated Regulation in its Official Journal, establishing the final regulatory technical standards (RTS) for threat-led penetration testing (TLPT) under the Digital Operational Resilience Act (DORA).
This RTS elaborates on Article 26 of DORA, outlining the specific requirements for financial entities. It specifies the criteria for identifying which firms must conduct TLPT and sets the standards for the testing scope, methodology, and the handling of results. The regulation also defines the rules for using internal testers and for supervisory cooperation, including the mutual recognition of tests between authorities.
TLPT is now mandatory for financial entities covered by DORA that are deemed to have a significant impact, risk profile, or systemic relevance.
The process for these entities begins upon receiving a notification from their designated "TLPT authority" that testing is required. Once notified, the firm enters a formal preparation phase and must:
Within three months, provide the TLPT initiation information, which includes a high-level project plan and details for the control and communication teams.
Within six months, submit a detailed scope specification document that identifies the critical functions and the underlying IT systems to be tested.
The TLPT structure detailed in the RTS is consistent with the EU's existing framework for threat intelligence-based ethical red teaming (TIBER-EU).
The RTS will enter into effect on 8 July 2025.
The RTS is available here.