Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 15 Use of internal testers
Financial entities shall establish all of the following arrangements for the use of internal testers:
the establishment and implementation of a policy for the management of internal testers in a TLPT;
measures to ensure that the use of internal testers to perform a TLPT does not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidents or significantly impacts the availability of resources devoted to ICT-related tasks during a TLPT;
measures to ensure that internal testers have sufficient resources and capabilities to perform a TLPT.
The policy referred to in point (a) shall:
contain criteria to assess suitability, competence, potential conflicts of interest of the internal testers and specify management responsibilities in the testing process;
be documented and periodically reviewed;
provide that the internal testing team includes a test lead, and at least two additional members;
require that all members of the test team have been employed by the financial entity or by an ICT intra-group service provider for the preceding 12 months;
include provisions on training on how to perform penetration testing and red team testing of the internal testers.
Where a TLPT authority approves the use of internal testers in accordance with Article 27(2), point (a), of Regulation (EU) 2022/2554, the TLPT authority shall consider the requirements laid down in Article 7(1) of this Regulation.
When using internal testers, the financial entity shall ensure that such use is mentioned in the following documents:
the test initiation information referred to in Article 9;
the red team test report referred to in Article 12(2);
the report summarising the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554.
Testers employed by an ICT intra-group service provider shall be considered as internal testers of the financial entity.
Relevant recitals
Recital 12 Comprehensive criteria for TLPT providers
Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but unlike intelligence led red team test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providers, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red team tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence providers, always external. Where the TLPT providers belong to the same company, the staff assigned to a TLPT should be adequately separated.
Recital 13 Exemptions from TLPT provider criteria
There may be exceptional circumstances where financial entities are unable to contract TLPT providers that meet the comprehensive criteria. Financial entities, upon evidencing the unavailability of such threat intelligence providers, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks and that the TLPT authority assesses all those criteria.
Recital 27 Mix of internal and external testers considered 'internal'
Article 26(8), first subparagraph, of Regulation (EU) 2022/2554 requires from financial entities that they contract external testers every three tests. Where financial entities include in the team of testers both internal and external testers, that should be considered as a TLPT performed with internal testers for the purposes of that Article.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;