DORA Delegated Regulation On Threat-Led Penetration Testing Published In Official Journal

The Delegated Regulation, which contains regulatory technical
standards (RTS) on threat-led penetration testing
(TLPT) requirements under the EU Digital
Operational Resilience Act (DORA), was recently
published in the Official Journal of the European Union.

The RTS supplements Article 26 of DORA and sets out:

• criteria to identify financial entities required to perform
  TLPT;
• requirements regarding testing scope, testing methodology and
  TLPT results;
• requirements and standards governing the use of internal
  testers; and
• rules on supervisory and other cooperation needed for TLPT
  implementation and for mutual recognition of testing.

TLPT is mandatory for the “financial entities” subject
to DORA, which now must meet specific impact, risk and systemic
relevance criteria in relation to these testing requirements.

Specifically, financial entities must initiate TLPT arrangements
once they receive notice from the relevant “TLPT
authority” that TLPT must be carried out. Such
notification triggers the formal preparation phase where the
financial entity must submit to test managers:

• the TLPT initiation information (e.g., a high-level
  project plan, control team lead details and communication details)
  within three months; and
• a detailed scope specification document, detailing, among other
  things, the critical or important functions and underlying
  information communication and technology systems within six
  months.

The TLPT structure set out in the RTS aligns with the EU’s
threat intelligence-based ethical red teaming (TIBER-EU
Framework). Further information regarding the recently
updated TIBER-EU Framework can be found in our previous article
(available here).

The RTS will enter into effect on 8 July 2025.

The RTS is available here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.