Unsere neue Podcast-Folge ist da! 🎉

Diesmal sprechen wir mit Michael Brügge, Leitender Berater bei cirosec, über Threat-led Penetration Tests (TLPT) – ein spannendes Thema, das durch den Digital Operational Resilience Act (DORA) seit Januar 2025 für viele Unternehmen im Finanzsektor relevant ist.

• Was unterscheidet TLPT von klassischen Penetrationstests?
• Wie läuft so ein Test ab?
• Und warum bietet er echten Mehrwert für Unternehmen?

Jetzt reinhören unter:

🎧 Spotify: https://open.spotify.com/show/63K9JjKKOdewLx2Ma0DuNE

🍏 Apple Podcast: https://podcasts.apple.com/de/podcast/it-security-inside/id1751424875

🌐 Website: https://cirosec.de/podcast/

#DORA #TLPT #CyberSecurity #Podcast #Finanzsektor

EU regulation in practice: what DORA, TLPT and TIBER-EU are and which part I think is the coolest 🇪🇺

Too many acronyms? Let's unpack them together.

DORA - Digital Operational Resilience Act - is a regulation that came into force on 17 January 2025 in all European Union (EU) member states [1]. Its main goal is to "strengthen the digital resilience" of "financial entities".

I want to emphasize: DORA is a regulation, not a directive. That means each EU member state must apply it "as is", rather than implementing it into national law as directives require [2].

What does DORA cover? It includes:

1. ICT risk management - rules and requirements for creating and maintaining a framework for managing technology risk,
2. Third-party ICT risk management - monitoring third-party providers and key contractual terms,
3. Testing digital operational resilience - basic and advanced tests (including Threat-Led Penetration Testing),
4. ICT-related incidents - general requirements and reporting of major incidents to supervisory authorities.
5. Information sharing - sharing threat intelligence among entities,
6. Oversight of critical third-party ICT service providers - supervisory frameworks for critical ICT service providers.

That list leads to a lot of new documents and compliance work [3], but I want to focus on the one I find most interesting for me: point 3 and the related document "RTS on Threat-Led Penetration Testing (TLPT)" (called simply RTS below) [4], which I think is absolutely great!

Why? That document defines the framework for TLPTs. How are these tests different from traditional penetration tests? Let's see:

"Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but unlike intelligence-led red team tests, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies."

And:

"During the selection process of the TLPT providers, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red team tests, and not only penetration tests."

So what's the idea or methodology behind these tests?

"This Regulation has been drafted in accordance with the TIBER-EU framework and mirrors the methodology, process and structure of threat-led penetration testing (TLPT) as described in TIBER-EU.”

What is TIBER-EU [6]?

"The Framework for Threat Intelligence-based Ethical red teaming (TIBER-EU) provides a uniform and high-quality standard for implementing realistic intelligence-led red team tests on live production systems throughout (and beyond) the European Union."

The whole testing process carried out under TIBER-EU consists of phases such as:

1) Preparation phase
2)Testing phase
2.1) Threat Intelligence
2.2) Red Team
3) Closure phase (reporting, purple teaming, etc.)

Importantly, the framework even sets time expectations for how long each phase should take. For example: Threat Intelligence – approximately 4 weeks; Red Team – approximately 12 weeks. These are minimum durations ("at least").

The concept is a full-scale Red Teaming campaign where, based on scenarios developed in the Threat Intelligence phase, the attacking team carries out realistic attacks on the institutions LIVE PRODUCTION INFRASTRUCTURE.

Here's the best part: within Threat Intelligence and Red Team, the target can be not only the institution under test but also their supply chain companies. That is a big thing. Testers aren't limited to breaching well-protected institutions like banks with multi-million-euro/dollar security budgets. They can also target smaller ICT suppliers (ICT stands for "Information and Communication Technology") who often have access to those institutions infrastructure. Those suppliers may offer easier entry points for real attackers than attacking e.g. the bank's front door directly:

"For pooled TLPTs, without prejudice to the scenarios targeting directly the critical or important functions of the financial entities involved in the testing, at least one scenario shall include the ICT third-party services provider’s relevant underlying ICT systems, processes, and technologies supporting the critical or important functions of the financial entities in scope."

That is super cool!

Now it's time to elaborate who exactly has to perform these tests, because the term "financial entities" is quite broad. Article 2, point 2 of the RTS lists:

1) Credit institutions,
2) Payment institutions,
3) Electronic money institutions,
4) Central securities depositories,
5) Central counterparties,
6) Trading venues with an electronic trading system,
7) Insurance and reinsurance undertakings.

That's quite a list, isn't it? As mentioned earlier, the RTS goes into more detail about the conditions these institutions must meet to be required to conduct TLPTs.

The RTS also allows for exclusions. Which firms actually have to undergo TLPTs is determined by the national authority responsible for the financial market (e.g. KNF [5] in Poland):

"Considering the complexity of the TLPT and the risks relating to it, its use should be restricted to those financial entities for which it is justified. Hence, authorities responsible for TLPT matters (TLPT authorities, either at Union or national level) should exclude from the scope of TLPT those financial entities that operate in core financial services subsectors for which a TLPT is not justified. That means that credit institutions, payment and electronic money institutions, central security depositories, central counterparties, trading venues, insurance and reinsurance undertakings, even though they meet the quantitative criteria, could be released from the requirement of TLPT in light of an overall assessment of their ICT risk profile and maturity, impact on the financial sector, and related financial stability concerns."

How often must TLPTs be conducted?

"Financial entities [...] shall carry out at least every 3 years advanced testing by means of TLPT."

This is another rule pushing critical financial institutions to take extra steps on their digital security. Please keep in mind that in many EU countries, like Poland, banks for instance are not just places to manage money - they also serve, for example, as one of the available identity providers when you're handling official administrative matters online.

So, cool or not?

[1] https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM%3Al14547
[3] https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en#level-2---regulatory-implementing-and-delegated-acts-in-the-official-journal
[4] https://ec.europa.eu/transparency/documents-register/api/files/C(2025)885_0/090166e51e3222a2?rendition=false
[5] https://www.knf.gov.pl/en/
[6] https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework_2025~b32eff9a10.en.pdf

#cybersecurity #infosec #privacy #europe #law #tlpt #pentest #pentesting #security #itsecurity #threatintel