Source: OJ L, 2025/1190, 18.6.2025

Current language: EN

Annex VIII Details of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554

The attestation shall contain at least all of the following information:

  1. on the performed TLPT:

    1. the starting and end dates of the TLPT;

    2. the critical or important functions in scope of the test;

    3. where relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;

    4. where relevant, other financial entities that were involved in the TLPT;

    5. where relevant, the ICT third-party services providers that participated in the TLPT;

    6. in respect of testers:

      1. whether internal testers were used;

      2. whether Article 5(3), second subparagraph, was used by the financial entity;

    7. the duration, in calendar days, of the active red team testing phase;

  2. where several TLPT authorities have been involved in the TLPT, the other TLPT authorities, and in which capacity;

  3. list of the documents examined by the TLPT authority for the purposes of the attestation.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod