The Digital Operational Resilience Act (DORA), the EU regulation that came into force in January 2025, and affects financial entities and their suppliers mandates Threat-Led Penetration Testing (TLPT), alongside Risk Management for third parties, information sharing and incident reporting. The full impact of DORA’s requirements is still be absorbed by the industries it affects, and the full implications of getting all of these systems tested to meet compliance has yet to be realised, with elements such as the The TLPT element is still being worked through, but we do know that TIBER tests will satisfy the requirements, and that financial entities will only use testers for carrying out TLPTs, that:
- Are of the highest suitability and reputability;
- Possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
- Are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
- Provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
- Are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
At Prism Infosec, we not only meet these requirements with our accreditations as a CBEST, STAR-FS and STAR TLPT supplier in the UK, but we are also recognised by the National Bank of Belgium’s TIBER-BE team as a supplier of TLPT services.
