Joint Regulatory Technical Standards specifying elements related to threat led penetration tests

Status: Under consultation

These Regulatory Technical Standards (RTS) specify further:

the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT),
the requirements and standards governing the use of internal testers,
the requirements in relation to scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages, and
the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

Summary of document history

Previous versions Current version Ongoing versions

Consultation on Joint draft RTS specifying elements related to threat led penetration tests

Status: Closed
Deadline: 4 MARCH 2024

Documents

Consultation paper on Joint draft RTS specifying elements related to threat led penetration tests

(685.8 KB - PDF)

Download

Responses to public consultations on DORA (2nd batch)

(858.87 KB - Excel Spreadsheet)

Download

Responses

The form is now closed.

News item

ESAs launch joint consultation on second batch of policy mandates under the Digital Operational Resilience Act

8 December 2023

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). Today’s package includes four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. The consultation runs until 4 March 2024.

Press contacts

Franca Rosa Congiu

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre