Following a consultation process initiated in March 2023 and a feedback statement issued in February 2024, the Malta Financial Services Authority (“MFSA”), on 8 July 2025, has officially issued the TIBER-MT and DORA TLPT-MT National Implementation Document, setting forth Malta's implementation of Threat-Led Penetration Testing ("TLPT") requirements under the Digital Operational Resilience Act ("DORA").
As a general concept, TLPT is a cybersecurity assessment method designed to test an organisation's resilience by simulating realistic cyber-attacks based on known threat intelligence. Its objective is to identify vulnerabilities, assess response capabilities, and strengthen the resultant cybersecurity posture, which goes part and parcel with DORA’s overarching objective of bolstering operational resilience. Accordingly, TLPT has been further developed as an essential measure and a core tenet of DORA, requiring captured financial entities to simulate such realistic cyber threats and identify vulnerabilities effectively.
The newly published document formally adopts the European Framework for Threat Intelligence-Based Ethical Red Teaming ("TIBER"), a standardised framework originally developed initially by the European Central Bank (“ECB”) to conduct and oversee TLPT on financial infrastructure across the EU in a controlled and harmonised manner. Accordingly, the MFSA’s implementation aims to ensure a level of consistency and continues on the harmonised approach to TLPT by virtue of TIBER; especially in light of TIBER’s recent update in February to align with DORA’s own TLPT requirements.
Under DORA and the associated Regulatory Technical Standard (EU) 2025/1190 (“RTS”), the MFSA will serve as the designated authority responsible for overseeing the sectoral TLPT within Malta.
This national implementation document integrates all fundamental concepts, methodologies, and processes outlined in the TIBER Framework. The document outlines two target sectors:
Target 1: Financial Entities within scope of Article 2 (1) of the RTS; and
Target 2: Financial Entities specifically identified in Article 2 (2) of the RTS.
FEs licensed by the MFSA and identified to fall within the scope of TLPT obligations will now have to undertake the mandatory “TIBER-MT” testing. Successful adherence to this rigorous testing process and compliance with both TIBER-MT requirements and DORA’s regulatory requirements will lead to the issuance of an attestation confirming the FE’s compliance.
Importantly, the document makes clear that for credit institutions classified as “Significant Entities” and supervised under the Single Supervisory Mechanism, the ECB will remain the competent authority for TLPT.
The Supervisory ICT Risk and Cybersecurity function within the MFSA will house the TIBER and TLPT Cyber Team Malta (“TCT-MT”), responsible for supervising the TIBER-MT tests, ultimately ensuring that the processes and deliverables strictly align with the TIBER-EU standards.
--
For information or assistance with regard to DORA and its requirements, do not hesitate to contact us at info@gtg.com.mt
Authors: Dr Terence Cassar and Dr JJ Galea.