Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

RTS Threat-led penetration testing

This is the regulatory technical standard (RTS) on threat-led penetration testing as adopted by the European Commission according to DORA Article 26(11), using the final draft available from the European Banking Authority (EBA) as source. The RTS was published in July 2024 and is expected to become applicable on 17 January 2025 alongside DORA.

This text is provided as-is and should not be relied upon as an authoritative source. Instead, consult the Official Journal for the authoritative version once published.

We are not aware of any material differences between the draft and authoritative versions but will ensure to update these pages to reflect the authoritative version as soon as possible.

Our commitment is to continuously enhance this platform, improving readability and navigation for your convenience. Stay updated on our progress by following us on LinkedIn, where we announce new features. If you have any questions or suggestions, please feel free to reach out to us at dora@springflod.se.

Enjoy.

Table of Contents

Preamble

1 – 29

Recitals

Chapter I

General provisions

Article 1

Definitions

Chapter II

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application