Sometimes all it takes is a single vulnerability – an incorrect configuration of internal network components, or a security update that was put off for too long. In a worst case scenario, this could allow hackers to access the customer data of a life or health insurer or manipulate a bank's payment flows.

Ideally, such scenarios should be prevented. Threat-led penetration tests (TLPTs) enable financial entities to identify vulnerabilities at an early stage and protect themselves more effectively against cyberattacks.

Starting in January 2025, certain financial entities will be required to regularly undergo TLPTs. The requirements for these tests are set out in the Digital Operational Resilience Act (DORA). This EU regulation is intended to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). DORA will apply from 17 January 2025.

First step: individual threat analysis

The “threat-led” part of TLPT means that the company's individual threat situation is first analysed before the company or an external service provider commences testing.

This analysis encompasses the threat posed by the current geopolitical situation, the state of the economy and technological developments. It also takes into account the company’s individual characteristics, such as the critical or important functions to be tested, the business model and the IT infrastructure. Based on this analysis, the TLPT replicates the tactics, techniques and methods of real attackers, thus allowing financial entities to test their critical live production systems for vulnerabilities.

TLPTs are not new: the Deutsche Bundesbank has been offering selected institutions and undertakings in the German financial sector the opportunity to voluntarily undergo a TLPT since 2020. These tests are based on the Threat Intelligence-based Ethical Red Teaming (TIBER-DE) framework. Over 20 financial entities have taken advantage of these voluntary tests in recent years, in some cases several times. For companies that are already familiar with TIBER-DE, the process for carrying out the tests will therefore not change much. The DORA rules are based on the tried-and-tested TIBER-EU framework, which is implemented in TIBER-DE tests.

Who falls under the requirement?

Which companies will be required to carry out TLPTs in future? The competent supervisory authorities determine which financial entities must conduct the tests. This decision is based on the following questions arising from Article 26 of DORA:

• To what extent do the services provided and activities undertaken by the financial entity impact the financial sector as a whole?
• Could a successful attack on the company threaten the stability of the financial market at the national or even European level?
• What is the financial entity’s specific ICT risk profile and level of ICT maturity?

These criteria will be laid out in detail in a regulatory technical standard (RTS), which is already available as a draft version from the European Supervisory Authorities. For example, the draft RTS requires all credit institutions that are classified as systemically important under Article 131 of Directive 2013/36/EU to carry out a TLPT. All central securities depositories and central counterparties are also obliged to do so due to their importance for the financial market. For certain additional financial entities, the RTS defines sector-specific thresholds for the criteria described above.

However, the competent supervisory authorities can also require other companies in the financial sector to conduct TLPTs. For example, the supervisory authority may require a TLPT if a company does not exceed the RTS thresholds but is nevertheless considered by the authority to be of major importance for the financial market. However, only a few companies are likely to be affected by this new regulation. Any company that has not yet carried out a TLPT under TIBER-DE is highly unlikely to fall within the scope of Article 26(8) of DORA.

BaFin assumes supervisory tasks

The authority responsible for overseeing TLPTs depends on the type and size of the financial entity in question. In the case of credit institutions that are classified as significant institutions (SIs) and are directly supervised by the European Central Bank (ECB) under the Single Supervisory Mechanism, the ECB is responsible for the tests.

For trading venues in Germany, the stock exchange supervisory authority of the respective federal state is responsible. BaFin is the competent supervisory authority for all other relevant financial entities. For all financial entities, however, the Deutsche Bundesbank will be responsible for the operational tasks, as is already the case with TIBER-DE.

For many German financial entities, BaFin will therefore assume the supervisory tasks in relation to TLPTs. In concrete terms, this means that BaFin identifies these companies using the criteria described above, informs them of the decision, determines the test frequency and orders the individual test to be carried out in consultation with the Deutsche Bundesbank. BaFin also validates the scope of the test and receives the test results once the TLPT has been completed.

DORA defines a multi-stage procedure for the practical implementation of TLPTs (see figure).

Figure 1: Multi-stage procedure for TLPTs

Source: BaFin and the Deutsche Bundesbank

Financial entities must generally carry out a TLPT every three years. BaFin may deviate from this interval in exceptional cases. As not all affected financial entities can be tested at the same time, BaFin and the Deutsche Bundesbank will schedule the TLPTs according to priority. In their planning, they will also take into account the fact that some companies have recently conducted a TLPT as part of TIBER-DE. Most of those entities do not need to be retested immediately.

BaFin will inform financial entities of the date of their TLPT in advance with sufficient notice. The Deutsche Bundesbank is responsible for monitoring the test and confirming that it is carried out in accordance with the regulations. The findings from the test are shared with all relevant supervisory authorities.

BaFin has published further information on TLPTs under DORA on its website BaFin summarises the most important information on DORA and the implementation of the framework on a dedicated information page, which is updated and expanded on an ongoing basis.