On 13 February 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

The draft Delegated Regulation:

• Sets out the criteria for the identification of financial entities required to perform threat-led penetration testing (TLPT).
• Establishes the requirements regarding testing scope, testing methodology and the results of TLPT, including the testing process.
• Lays down the requirements and standards governing the use of internal testers.
• Contains the rules on supervisory cooperation and mutual recognition of TLPT.

The draft Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.