EU Standards for Threat-Led Penetration Testing: New Cyber Compliance Imperatives for Financial Institutions

Key Elements

On 18 June 2025, Delegated Regulation (EU) 2025/1190 was published in the Official Journal of the European Union, introducing for the first time harmonized and binding technical standards for TLPT across the European financial sector. This delegated regulation supplements the Digital Operational Resilience Act (DORA – Regulation (EU) 20223/2554) and marks a significant step toward strengthening the cyber resilience of critical financial entities within the EU. TLPT involves simulating cyberthreats to test how an organization can detect, respond to, and recover from advanced threats. It is a critical tool for identifying vulnerabilities before malicious actors exploit them.

Scope and Applicability

The delegated regulation is particularly relevant for certain larger or systemically important financial institutions (including credit institutions, payment and electronic money institutions, central security depositories, central counterparties, trading venues, insurance and reinsurance undertakings, and, in certain cases, crypto-asset service providers), as well as their information and communications technology ("ICT") and TLPT service providers. Affected entities are advised to assess their status under the new framework without delay, as TLPT obligations apply from 8 July 2025 and are directly applicable in all EU Member States, without need for national implementing legislation.

The delegated regulation identifies specific categories of financial entities that are required to conduct TLPTs. These include:

• Global systemically important credit institutions ("G-SIIs"), other systemically important credit institutions ("O-SIIs"), and parts of a G-SIIs or O-SIIs; 
• Payment institutions with an annual transaction volume exceeding EUR 150 billion (over the preceding two years); 
• E-money institutions with comparable volumes or more than EUR 40 billion in outstanding e-money; 
• Central counterparties ("CCPs") and central securities depositories ("CSDs"); 
• Significant trading venues with an electronic trading system; 
• Significant insurance and reinsurance undertakings; and
• Certain crypto asset service providers.

Comprehensive Four-Phase TLPT Process

The delegated regulation introduces prescriptive requirements, ensuring a standardized and robust approach to cybersecurity testing. The process is structured into four distinct phases:

1. Preparation: This initial phase involves detailed planning, scoping, and the selection of qualified testing teams. Institutions must ensure that both internal and external testers meet stringent qualification criteria and that the scope of testing is appropriately defined to reflect the institution's risk profile and operational complexity.

2. Threat Intelligence & Analysis: In this phase, organizations are required to develop threat scenarios based on current and emerging risks. The scenarios must be informed by up-to-date threat intelligence, ensuring that the simulated attacks are realistic and relevant to the institution's specific threat landscape.

3. Red Team Testing: The core of the TLPT process, this phase involves the execution of simulated attacks that mimic the tactics, techniques, and procedures of real-world threat actors. The objective is to rigorously test the institution's detection and response capabilities under realistic conditions.

4. Closure & Remediation: Following the testing, institutions must handle the results with strict confidentiality, develop comprehensive remediation plans to address identified vulnerabilities, and report outcomes to supervisory authorities. This phase also includes requirements for documenting lessons learned and integrating improvements into the organization's broader cybersecurity framework.

Operational and Supervisory Requirements

The regulation sets out binding standards for the use of both internal and external testers, with clear obligations regarding confidentiality, governance, and the separation of test environments from production systems. Each EU Member State is required to appoint a national TLPT authority responsible for overseeing the implementation of the regulation. For financial groups operating across borders, a lead authority must be designated to coordinate testing activities and facilitate the mutual recognition of test results among relevant supervisory bodies of cross-border groups.

Immediate Action Required

In-scope entities are strongly advised to assess compliance with new TLPT standards. This includes conducting a thorough gap assessment against the new TLPT standards, engaging with national supervisors and potential TLPT providers, and establishing robust internal processes for planning, conducting, and remediating TLPTs. Ensuring confidentiality, legal privilege, and operational integrity throughout the testing lifecycle is critical, as any failure in these areas may compromise the integrity of test results and attract supervisory scrutiny. For groups with cross-border operations, coordination at the group level is essential to ensure compliance and avoid duplicative efforts.