Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 5 Risk management for TLPT
During the preparation phase referred to in Article 9, the control team shall assess the risks associated with the testing of live production systems of critical or important functions of the financial entity, including potential impacts on:
the financial sector;
the financial stability at Union or national level.
The control team shall review those impacts throughout the testing.
For the purposes of the risk assessment and management, the control team shall take into account at least the following types of risks related to:
granting access to the threat intelligence provider and external testers, where applicable, to sensitive information on the financial entity;
lack of compliance of the TLPT with Regulation (EU) 2022/2554 and with this Regulation where such lack of compliance results in a lack of the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554, including where such lack of compliance is due to breaches of confidentiality on the TLPT or to a lack of ethical conduct;
crisis and incident escalation;
the active red team phase, including risks related to the interruption of critical activities and the corruption of data due to the activities of the testers, and its potential impacts on third parties;
the blue team activity, including risks related to the interruption of critical activities and the corruption of data due to the activities of the blue team, and its potential impacts on third parties;
the incomplete restoration of systems affected by the TLPT.
Relevant recitals
Recital 9 Secrecy of the TLPT
The secrecy of TLPT is of utmost importance to ensure that the conditions of the testing are realistic. For that reason, testing should be covert, and precautions should be taken to keep the TLPT confidential, including the choice of codenames that should be designed to prevent the identification of the TLPT by third parties. Should staff members responsible for the security of the financial team be aware of a planned or ongoing TLPT, it is likely that they would be more observant and alert than during normal working conditions, thereby resulting in an altered outcome of the testing. Staff members of the financial entity outside of the control team should therefore only be made aware of any planned or ongoing TLPT where there are cogent reasons and subject to the prior agreement of the test managers, inter alia to ensure the secrecy of the test in case a blue team member has detected the testing.
Recital 11 Managing inherent risks of a TLPT
There are inherent elements of risks associated with TLPT as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data. Those risks highlight the need for robust risk management measures. To ensure that the TLPT is conducted in a controlled manner all along the testing, it is very important that financial entities are at all points aware of the particular risks that arise in a TLPT and that those risk are mitigated. In that respect, without prejudice to the internal processes of the financial entity and the responsibility and delegations already provided to the control team lead, information about the TLPT risk management measures, or, in particular cases the approval of those risk management measures by the financial entity’s management body itself, may be appropriate. To be able to deliver effective and most qualified professional services and to reduce those risks, it is also essential that the testers and threat intelligence providers (together, the TLPT providers) have the highest level of skills, expertise, and an appropriate experience in threat intelligence and TLPT in the financial services industry.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.