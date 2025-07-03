The Delegated Regulation, which contains regulatory technical standards (RTS) on threat-led penetration testing (TLPT) requirements under the EU Digital Operational Resilience Act (DORA), was recently published in the Official Journal of the European Union.

The RTS supplements Article 26 of DORA and sets out:

criteria to identify financial entities required to perform TLPT;

requirements regarding testing scope, testing methodology and TLPT results;

requirements and standards governing the use of internal testers; and

rules on supervisory and other cooperation needed for TLPT implementation and for mutual recognition of testing.

TLPT is mandatory for the "financial entities" subject to DORA, which now must meet specific impact, risk and systemic relevance criteria in relation to these testing requirements.

Specifically, financial entities must initiate TLPT arrangements once they receive notice from the relevant "TLPT authority" that TLPT must be carried out. Such notification triggers the formal preparation phase where the financial entity must submit to test managers:

the TLPT initiation information (e.g., a high-level project plan, control team lead details and communication details) within three months; and

a detailed scope specification document, detailing, among other things, the critical or important functions and underlying information communication and technology systems within six months.

The TLPT structure set out in the RTS aligns with the EU's threat intelligence-based ethical red teaming (TIBER-EU Framework). Further information regarding the recently updated TIBER-EU Framework can be found in our previous article (available here).

The RTS will enter into effect on 8 July 2025.

The RTS is available here.

