← All laws

Compliance · Operational resilience · DORA

TLPT RTS (EU 2025/1190): DORA penetration testing, finally clear.

Commission Delegated Regulation (EU) 2025/1190 is the technical standard (RTS) completing Article 26 of DORA on threat-led penetration testing (TLPT). Applicable since 8 July 2025, implemented in Luxembourg via the TIBER-LU framework (BCL + CSSF). Let's clear the fog.

Build my quote → Contact us
Luxgap explorer
Browse the 9 articles of the law, with Luxgap practical guidance
Browse articles →

Who is concerned?

Financial entities identified as significant by their size and systemic importance: systemic credit institutions, certain payment and e-money institutions, central securities depositories (CSDs), central counterparties (CCPs), trading venues, some insurance and reinsurance undertakings.

A TLPT must be conducted at least every 3 years on critical or important functions, on real production systems (not test environments).

Key obligations

  • Identification: determine whether the entity falls within TLPT scope (RTS 2025/1190 criteria applied by the CSSF, TLPT authority under DORA Art. 46).
  • Threat intelligence: have an external provider produce credible entity-specific attack scenarios.
  • Red teaming: have a certified red team execute realistic attacks (advanced adversary TTPs) on production systems over 10 to 12 weeks, without the defence teams (blue team) being warned.
  • Testers: external by default; internal only under strict independence conditions and authority authorisation.
  • Closure and remediation: detailed report, prioritised remediation plan, attestation issued by the CSSF.
  • TIBER-LU: organise the test per the TIBER-LU Implementation Document (revised 20 June 2025).

Deadlines

RTS 2025/1190 was published in the Official Journal on 18 June 2025 and has applied directly since 8 July 2025. DORA's TLPT requirements (Art. 26) have applied since 17 January 2025. The TIBER-LU framework was revised on 20 June 2025 to align with DORA and the ECB-revised TIBER-EU of 11 February 2025.

Sanctions for non-compliance

TLPT falls under the DORA supervisory framework run by the CSSF. Failing test obligations, or not remediating identified vulnerabilities, exposes entities to DORA and CSSF sanctions: injunctions, administrative sanctions, and up to 1% of average daily worldwide turnover for critical ICT third-party providers. Beyond that, a test revealing unfixed flaws weakens the entity's whole operational resilience posture.

How Luxgap helps

Our CISO mandate dedicated to the financial sector and our pentest / red team teams cover the full TLPT cycle: eligibility diagnosis, TIBER-LU preparation, threat intelligence and red teaming by certified testers, remediation and re-test integrated into the ICT risk management framework.

Prepare your TLPT before the CSSF asks for it.

Configure a quote for a TLPT eligibility diagnosis, TIBER-LU preparation or a full red team exercise. Reply within one business day.

Build my quote →