European Union: Closed consultation on specifying elements related to threat led penetration tests

On 4 March 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) closed their consultation on a draft Regulatory Technical Standard (RTS) as mandated under DORA, to specify threat-led penetration testing (TLPT) methodology and criteria, ensuring consistency and facilitating mutual recognition across the EU while retaining flexibility. The draft RTS outlines criteria for identifying financial entities required to perform TLPT, as well as requirements governing the use of internal testers, testing methodology, and cooperation between authorities, involving the financial entity being tested, the TLPT authority, testers, and a threat intelligence provider. Specific criteria are set out for including financial entities like credit institutions, market infrastructure providers, and insurers in mandatory TLPT based on systemic impact, with possible exemptions for unjustified TLPTs. The draft RTS aims to align the TLPT methodology with the existing TIBER-EU framework, with preparation, threat intelligence gathering, active red team testing, and closure phases. Requirements are specified regarding risk management, test secrecy, scope, threat scenarios, reporting, remediation, and cooperation between authorities. Testers must meet expertise criteria, and tests must be conducted covertly, with the blue team unaware. For internal testers, the Regulation requires policies on suitability, competence, and preventing conflicts of interest, with at least every third TLPT involving external testers. Authorities would be required to cooperate on cross-border TLPT, with home authorities leading and mutual recognition of attestations.