RTS Threat-led penetration testing

This is a placeholder-page for the full legal text of the regulatory technical standard (RTS) on threat-led penetration testing, supplementing DORA. It was submitted by the ESAs to the European Commission in July 2024 as mandated by Article 26(11) of DORA. It is expected to become applicable on 17 January 2025 along with DORA.

Until we publish the full legal text here, please find the final draft on EBA's web page.

The RTS threat-led penetration testing is developed in accordance with Article 26(11) of DORA, tasked to the ESAs in collaboration with the ECB. Its purpose is to specify criteria for identifying financial entities required to conduct threat-led penetration testing (TLPT) and to define requirements governing the testing process, including scope, methodology, results, and supervisory cooperation.