RTS on Threat-Led Penetration Testing (TLPT)
Commission Delegated Regulation (EU) 2025/1190 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for identifying financial entities required to perform threat-led penetration testing, requirements for internal testers, testing methodology, results, remediation, and supervisory cooperation
Abstract
Regulatory Technical Standards under DORA establishing detailed rules for threat-led penetration testing (TLPT), including criteria for identifying entities subject to testing, governance and organisational requirements, testing phases and methodology, roles of control teams and testers, risk management measures, reporting, remediation, and supervisory cooperation, largely aligned with the TIBER-EU framework.
Key Takeaways
- Defines criteria and supervisory factors used to determine which financial entities must perform TLPT based on systemic importance, ICT risk profile, and operational impact.
- Establishes detailed requirements for TLPT lifecycle phases including preparation, threat intelligence, red-team testing, reporting, closure, and remediation.
- Specifies governance roles such as control team, blue team, testers, threat-intelligence providers, and TLPT authorities, including requirements for independence and qualifications.
- Requires structured reporting, remediation planning, and supervisory attestation following completion of a TLPT.
- Aligns testing methodology with the TIBER-EU framework and introduces provisions for joint and pooled TLPT exercises and mutual recognition across Member States.
Keywords
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours