DORA — TLPT framed by Delegated Regulation (EU) 2025/1190

On 13 February 2025, the European Commission adopted Delegated Regulation (EU) 2025/1190, published in the OJ on 18 June 2025, which implements the operational framework for TLPT under DORA. For Luxembourg entities, the CSSF acts as the TLPT authority, clarifying who must test, when, and how. For the legal basis, see DORA (Regulation (EU) 2022/2554, Chapter IV, Arts. 24–27) and the Delegated Regulation on EUR‑Lex.

For consolidated context, see our overview of the DORA Chapter IV and its delegated acts and the implementation in Luxembourg.

The case

The Commission adopted Delegated Regulation (EU) 2025/1190 specifying the criteria to identify entities required to conduct a Threat‑Led Penetration Test (TLPT), requirements for internal testers, the testing method, deliverables, and supervisory cooperation. Official text: EUR‑Lex, “Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025”, OJ L of 18.6.2025. — EUR‑Lex 2025/1190.

This regulation sits under DORA, applicable since 17 January 2025, notably Article 26 on advanced testing based on TLPT. Base text: Regulation (EU) 2022/2554 (DORA), Chapter IV, Articles 24–27. — EUR‑Lex DORA.

In Luxembourg, the CSSF confirms it is the “TLPT authority” for supervised entities (Article 46 DORA) and refers to delegated acts, including 2025/1190, and its alignment circulars. Reference page: “ICT and cyber risk – for DORA entities – CSSF”. — CSSF link.

Finally, the ESAs (EBA, ESMA, EIOPA) announced on 17 July 2024 the submission to the Commission of their final TLPT RTS drafts, which underpin 2025/1190. Press releases: — EBA and — ESMA.

Legal reasoning

1) DORA basis

• Article 26 DORA mandates “advanced testing […] based on a TLPT” for certain entities “at least every three years” (see e.g., Art. 26(8)).
• DORA empowers the Commission to specify, via RTS, the identification criteria, testing method, deliverables, and cooperation (Article 26(11)).

2) Prescriptive content of Delegated Regulation (EU) 2025/1190

• Identification of entities subject to TLPT: Article 2 tasks the TLPT authority with assessing impact, systemic relevance, and ICT risk profile based on detailed criteria. Pooled or joint TLPTs are possible (Article 8).
• Organisation and method: three‑phase cycle — preparation (Article 9, project charter and scope), testing (Articles 10–11, targeted threat intelligence then red‑team exercise), closure (Article 12) — with annexes setting expected content (e.g., Annex II: scope specification; Annex V: red‑team report; Annex VII: summary to the authority; Annex VIII: attestation).
• Internal testers and independence: Article 15 strictly frames use of internal testers (skills, independence, separation of duties).
• Mutual recognition: Article 16 organises cooperation to avoid multi‑country duplication.

3) Role of the Luxembourg authority

The CSSF explicitly positions itself as TLPT authority for supervised entities (Article 46 DORA) and points to direct application of delegated acts. It lists other adopted acts and its 9 April 2025 alignment circulars. — CSSF ICT/cyber page.

What changes in practice

• Who is in scope: not universal. The TLPT authority (CSSF) designates entities based on objective criteria (systemic impact, risk profile, critical ICT dependencies), per Article 2 of 2025/1190. In practice, significant banks, market infrastructures, high‑criticality PSFs, and systemic insurers are natural candidates. — Sources: 2025/1190, Art. 2; DORA Art. 26(9)–(11). EUR‑Lex 2025/1190.
• Frequency: once designated, TLPT must be conducted “at least every three years” (DORA Art. 26(8)). Prior TIBER‑EU may be recognised, subject to method and deliverables meeting 2025/1190 (Arts. 11–12; Annexes VII–VIII). — Sources: DORA Art. 26; 2025/1190.
• Scope and deliverables: scope must follow Annex II aligned to critical/important functions. Minimum deliverables: red‑team report, blue‑team report, remediation plan, attestation (Arts. 12–14; Annexes V–VIII).
• Governance and independence: internal testers are possible but strictly framed (Art. 15); otherwise, use providers meeting independence/skills requirements (Art. 7). To operationalise governance, consider strengthening your outsourced CISO function and broader operational resilience.
• Luxembourg: the CSSF coordinates designation, recognition, and quality control. Engage early with CSSF from scoping (project charter, Annex I).

Example: a significant credit institution with critical payment services hosted on outsourced cloud is typically designated for TLPT. It will prepare a project charter (Annex I), define an end‑to‑end payments scope (Annex II), produce targeted threat intelligence (Art. 10), run the red‑team exercise (Art. 11), and submit to CSSF the summary (Annex VII) with a remediation plan (Art. 13).

Common pitfalls

1. Confusing pentest with TLPT: a classic pentest is not a TLPT. 2025/1190 mandates the threat‑intel → red‑team → closure with attestation cycle (Art. 10; Annex III).
2. Over‑IT, under‑business scope: cover critical/important services and real ICT dependencies (including providers) per Annex II.
3. Poorly evidenced internal tester independence: Article 15 requires separation of duties, skills, and independence.
4. Incomplete supervisory deliverables: the summary (Annex VII) and attestation (Annex VIII) are prescribed.
5. Forgetting mutual recognition: for cross‑border groups, anticipate Article 16 and coordinate early with CSSF.

Official sources

• EUR‑Lex — Delegated Regulation (EU) 2025/1190 of 13 February 2025 (TLPT RTS), OJ L of 18.6.2025: https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj.
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Chapter IV (Arts. 24–27): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554.
• CSSF — “ICT and cyber risk – for DORA entities”: https://www.cssf.lu/fr/tic-et-cyber-risque-pour-les-entites-dora/.
• EBA — 17 July 2024 press release: https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora.
• ESMA — 17 July 2024 press release: https://www.esma.europa.eu/press-news/esma-news/esas-published-second-batch-policy-products-under-dora.

Compliance notes

• Key dates: adoption of 2025/1190 on 13.02.2025; OJ publication on 18.06.2025; DORA applicable since 17.01.2025.
• Luxembourg authority: CSSF as “TLPT authority” (Article 46 DORA) — confirmed on the CSSF website.
• Out of scope: for non‑financial entities under NIS 2, DORA TLPT does not apply, though testing exists under NIS 2; articulation depends on primary regime.

Need support? Get in touch to scope your TLPT programme and governance, or to reinforce your outsourced CISO.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.