Source: OJ L, 2025/1190, 18.6.2025

Current language: EN

Annex VII Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554

The test summary report shall contain information on at least all of the following:

  1. the parties involved;

  2. the project plan;

  3. the validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes, and technologies supporting the critical or important functions covered by the TLPT;

  4. selected scenarios and any significant deviation from the targeted threat intelligence report;

  5. executed attack paths, and used tactics, techniques and procedures;

  6. captured and non-captured flags;

  7. deviations from the red team test plan, if any;

  8. blue team detections, if any;

  9. purple teaming in testing phase, where conducted and the related conditions;

  10. leg-ups used, if any;

  11. risk management measures taken;

  12. identified vulnerabilities and other findings, including their criticality;

  13. root cause analysis of successful attacks;

  14. high level plan for remediation, linking the vulnerabilities and other findings, their root causes and remediation priority;

  15. lessons derived from feedback received.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod