Overview: how DORA, RTS 2025/1190 and TIBER-LU fit together

Commission Delegated Regulation (EU) 2025/1190 is the regulatory technical standard (RTS) completing Article 26 of DORA (Regulation EU 2022/2554) on threat-led penetration testing (TLPT). Published in the Official Journal on 18 June 2025, it has been directly applicable since 8 July 2025.

The regulatory chain to understand:

• DORA Art. 26 and 27 set the TLPT obligation for significant financial entities and require alignment with the TIBER-EU framework.
• The RTS 2025/1190 specifies the criteria for identifying in-scope entities, tester requirements, scope, methodology and test phases, closure and remediation.
• In Luxembourg, implementation runs through the TIBER-LU framework, jointly adopted by the BCL and CSSF in November 2021 and revised on 20 June 2025 to align with DORA and the ECB-revised TIBER-EU (11 February 2025).
• The CSSF is the TLPT authority for entities under its supervision (Article 46 of DORA).

In short: DORA says "you must test", RTS 2025/1190 says "here is how", and TIBER-LU is the Luxembourg operating manual run by the BCL and CSSF.