Threat-Led Penetration Testing (TLPT) at least every three years - TLPT must follow the TIBER-EU framework - Testing must be conducted by qualified, independent testers - CREST accreditation or equivalent is expected