Extend TLPT to critical outsourced systems, processes, and technologies. The entity shall remain responsible for control compliance. Collaborate with the service providers to establish risk management controls, mitigating risks to data, assets, and critical functions.

*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.

Engage either internal or external TLPT testers, with external testers contracted every third TLPT cycle. Ensure internal testers are regulator-approved, possess adequate resources, and engage external threat intelligence providers. Select TLPT testers based on reputation, expertise in threat intelligence, penetration testing, and red team practices, relevant certifications, independent assurance, and indemnity insurance coverage. Ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks. 

Ensure independence of teams where internal and external testers operate separately, and verify relevant certifications, independent assurance, and indemnity insurance coverage. 
*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.

Conduct Threat-led penetration testing (TLPT) every three years, aligning with the entity's risk profile. Ensure TLPT covers all critical or important functions and test on live production systems. Provide the regulator with a report encompassing TLPT findings, remediation plans, and documentation demonstrating adherence to this control. Perform TLPT according to the DORA TLPT framework (based on the TIBER-EU framework) as defined in the corresponding RTS. 

*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.