Extend TLPT to critical outsourced systems, processes, and technologies. The entity shall remain responsible for control compliance. Collaborate with the service providers to establish risk management controls, mitigating risks to data, assets, and critical functions.

*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.

Engage either internal or external TLPT testers, with external testers contracted every third TLPT cycle. Ensure internal testers are regulator-approved, possess adequate resources, and engage external threat intelligence providers. Select TLPT testers based on reputation, expertise in threat intelligence, penetration testing, and red team practices, relevant certifications, independent assurance, and indemnity insurance coverage. Ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks. 

Ensure independence of teams where internal and external testers operate separately, and verify relevant certifications, independent assurance, and indemnity insurance coverage. 
*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.

Ensure the contract with ICT third-party service provider delivering critical or important services encompasses comprehensive service level descriptions, including updates and detailed reporting (both quantitative and qualitative). Evaluate the service provider's compliance with performance and quality standards by reviewing reports on activities and services, incident reports, security and business continuity measures, and testing. Assess performance using key performance indicators, key control indicators, audits, self-certifications, and independent reviews. Receive relevant information from the service provider regarding their activities and services and ensure timely notification and response to incidents. Conduct independent reviews and compliance audits with legal and regulatory requirements and policies. Specify notification periods for any material changes that may impact the entity or agreed service levels.

Secure rights for continuous performance monitoring, including unrestricted rights to access, inspection, and audit. This encompasses alternative assurance levels, cooperation with regulator inspections, and full disclosure of audit scope, procedures, and frequency. Include a mandatory transition period upon termination, allowing the service provider to continue services during migration, affording the entity time to transition to another provider or in-house solutions based on service complexity. Mandate the implementation and testing of business contingency plans and the establishment of a security management system by the service provider. 

When negotiating contractual arrangements, consider the use of standard contractual clauses developed by public authorities for specific services.

Require the service provider's participation in the entity's (advanced) testing program (TLPT), where required. Where participation of an ICT third-party service provider in TLPT may adversely impact services or data confidentiality for customers outside the scope of DORA, it may be agreed in writing to perform a pooled TLPT.

Delineate critical and important ICT services in contracts with third-party ICT service providers, specifying conditions for subcontracting. Require continual monitoring of subcontracted services supporting critical functions to ensure compliance with contractual obligations. Detail monitoring and reporting responsibilities of the third-party service provider to the financial entity, including risk assessments related to subcontractor locations and data ownership. Mandate incident response and business continuity plans for subcontractors, along with adherence to specified service levels and security standards. Retain termination rights for the financial entity in cases of unauthorized subcontracting or failure to meet agreed-upon service levels. Implement changes relative to contractual agreements as soon as possible and document the planned timeline for the implementation.

Conduct Threat-led penetration testing (TLPT) every three years, aligning with the entity's risk profile. Ensure TLPT covers all critical or important functions and test on live production systems. Provide the regulator with a report encompassing TLPT findings, remediation plans, and documentation demonstrating adherence to this control. Perform TLPT according to the DORA TLPT framework (based on the TIBER-EU framework) as defined in the corresponding RTS. 

*Note that this control is only applicable for financial institutions wich are eligible for TLPT. Refer to the RTS on TLPT for more information on applicability.