EU frameworkGDPRNIS 2DORAAI ActWhistleblowing
CSSF circularsCSSF 22/806CSSF 25/883CSSF 25/880CSSF 25/881CSSF 25/882CSSF 20/750CSSF 12/552CSSF 11/504
Article T.1

Which financial entities are subject to TLPT

Commission Delegated Regulation (EU) 2025/1190 on threat-led penetration testing (TLPT) under DORA · UE 2025/1190

TLPT does not concern all financial entities, but those identified as significant given their size, risk profile and systemic importance. RTS 2025/1190 specifies the quantitative and qualitative identification criteria applied by authorities.

Typically in scope: systemically important credit institutions, certain payment and e-money institutions, central securities depositories (CSDs), central counterparties (CCPs), trading venues, and some insurance and reinsurance undertakings.

Identified entities must conduct a TLPT at least every three years, unless the TLPT authority decides otherwise. Critical or important functions form the core of the scope.