1. European
  2. Legislation (EU)
  3. EU Regulations
  4. 2022
Date-stamp loading
  1. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Digital Operational Resilience Act (DORA) / Regulation on digital operational resilience for the financial sector)
  2. Chapter IV Digital operational resilience testing (arts. 24-27)
  3. Article 27 Requirements for testers for the carrying out of TLPT
Previous Next
Version status: Entered into force | Document consolidation status: No known changes
Version date: 16 January 2023 - 16 January 2025
  Version 2 of 3  

Article 27 Requirements for testers for the carrying out of TLPT

1. Financial entities shall only use testers for the carrying out of TLPT, that:

(a) are of the highest suitability and reputability;

(b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;

(c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;

(d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity's confidential information and redress for the business risks of the financial entity;

(e) are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.

2. When using internal testers, financial entities shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:

(a) such use has been

Comparing proposed amendment...
Previous Next