Threat-led penetration testing

This is a placeholder-page for the full legal text of the regulator techincal standard (RTS) on threat-led penetratino testing, supplementing DORA. It was submitted by the ESAs to the European Commission in January 2024 as mandated by Article 26(11) of DORA. It is expected to become applicable on 17 January 2025 along with DORA.

Until we publish the full legal text here, please find the draft RTS on ESMA’s web page or the adopted regulation on the EC’s web page..

The RTS threat-led penetration testing is developed in accordance with Article 26(11) of DORA, tasked to the ESAs in collaboration with the ECB. Its purpose is to specify criteria for identifying financial entities required to conduct threat-led penetration testing (TLPT) and to define requirements governing the testing process, including scope, methodology, results, and supervisory cooperation.