Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 3 TCT and TLPT Test Managers
A TLPT authority shall assign the responsibility for coordinating TLPT-related activities to a TCT. A TCT shall be composed of test managers that are assigned to oversee an individual TLPT.
For each test, the TLPT authority shall designate a test manager and at least one alternate.
The test managers shall monitor whether, and ensure that, the requirements laid down in this Regulation are complied with.
The test manager shall communicate the contact details of the TCT to the financial entity through the notification referred to in Article 9(1).
The TLPT authority shall participate to all the phases of the TLPT.
Relevant recitals
Recital 6 Responsibility of TLPT cyber teams in line with TIBER-EU
To ensure that the TLPT benefits from the experience developed in the framework of TIBER-EU implementation and to reduce the risks associated to the performance of TLPT, it should be ensured that the responsibilities of the TLPT cyber teams to be set up at the level of TLPT authorities match as closely as possible those of the TIBER-EU cyber teams. Hence, the TLPT cyber teams should have test managers that are responsible for overseeing individual TLPTs and for planning and coordinating individual tests. TLPT cyber teams should serve as a single point of contact for test-related communication to internal and external stakeholders, for collecting and processing feedback and lessons learned from previously conducted tests, and for supporting financial entities undergoing TLPT testing.
Recital 7 Skills and capabilities of test managers
To mirror the TIBER-EU framework methodology, test managers should have the skills and capabilities necessary to provide advice and to challenge tester proposals. Experience under the TIBER-EU framework has proven that it is valuable to have a team of at least two test managers assigned to each test. To reflect that the TLPT is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authorities are strongly encouraged to consider that, for the duration of a TLPT, test managers should not conduct supervisory activities on the same financial entity undergoing a TLPT.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;