European Commission adopts Delegated Regulation on RTS on threat-led penetration testing under DORA

The European Commission (EC) has adopted a Commission Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to RTS specifying the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT). Article 26(11) of DORA mandates the European Supervisory Authorities (ESAs), in agreement with the European Central Bank (ECB), to develop joint draft RTS in accordance with the ECB's European framework for threat intelligence-based ethical red teaming (TIBER-EU framework) to specify further the following: (i) the criteria to identify financial entities required to perform TLPT; (ii) the requirements regarding test scope, testing methodology and results of TLPT; (iii) the requirements and standards governing the use of internal testers; and (iv) the rules on supervisory and other cooperation needed for the implementation of TLPT and for mutual recognition of testing. The Delegated Regulation will enter into force on the 20th day following its publication in the Official Journal of the EU. The ECB has also published an updated version of the TIBOR-EU framework that aligns with the DORA RTS on TLPT.