As of today, 8 July 2025, the Regulatory Technical Standards (RTS) on Threat-Led Penetration Testing (TLPT) are now effective, including in Malta, following their publication in the Official Journal on 18 June 2025. These RTS supplement Article 26 of the Digital Operational Resilience Act (‘DORA’) and lay down a framework for the execution of TLPT.
The RTS specify the criteria used for identifying the financial entities which are required to perform threat-led penetration tests and lay down organisational arrangements for financial entities. The RTS also include provisions on risk management and specify criteria for engaging TLPT providers.
Moreover, the RTS lay down detailed requirements concerning the scope, testing methodology and approach for each phase of the testing. Once the relevant findings of the TLPT have been made, financial entities must develop a remediation plan for each finding. The RTS are supplemented by eight annexes, which provide templates and content requirements for key TLPT documentation.
The methodology, process and structure of TLPT in these RTS are aligned with the TIBER-EU framework, a European framework providing guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and enhance the cyber resilience of entities through controlled cyberattacks.
This document does not purport to give legal, financial, technical or tax advice. Should you require further information or legal assistance, please do not hesitate to contact us on dora@mamotcv.com