EU Delegated Regulation on threat-led penetration testing published in OJ

Commission Delegated Regulation (EU) 2025/1190 of 13 February has been published in the Official Journal of the European Union. The Delegated Regulation supplements the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) related to threat-led penetration testing (TLPT). The RTS specify the criteria for identifying financial entities required to carry out TLPT, and establish detailed requirements regarding the scope of testing, the methodologies to be used and the handling and reporting of results. Further, the RTS also sets out the requirements and standards governing the use of internal testers, ensuring their independence and competence, and outlines the framework for supervisory and other forms of cooperation necessary for implementation of TLPT and the mutual recognition testing. The Delegated Regulation will enter into force on the twentieth day following its publication in the Official Journal of the European Union, which is 8 July.

Return to main website.