Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 9 Preparation phase
A financial entity identified pursuant to Article 26, paragraph 8, third subparagraph of Regulation (EU) 2022/2554 shall initiate a TLPT following a notification from the TLPT authority that a TLPT is to be carried out.
A financial entity shall, within 3 months from having received the notification referred to in paragraph 1, submit to the test managers all of the following TLPT initiation information:
a project charter including a high-level project plan, containing the information set out in Annex I;
the contact details of the control team lead;
information on the intended use of internal or external testers or both, where relevant as detailed in Article 15;
information on the communication channels to be used during the TLPT;
the code name for the TLPT.
Where the information referred to in paragraph 2, points (a) to (e), is complete and ensures the suitability and effective performance of the TLPT, the TLPT authority shall validate the TLPT initiation information of the financial entity and notify the financial entity thereof.
Following the validation of the TLPT initiation information by the TLPT authority, the financial entity shall set up a control team to support the control team lead in its tasks of:
specifying communications channels and processes within the control team, with the testers and the threat intelligence providers in all matters related to the TLPT;
informing the management body of the financial entity about the progress of the TLPT and the associated risks;
taking decisions based on subject matter expertise throughout the TLPT;
executing the TLPT in compliance with this Regulation;
selecting the threat intelligence provider for the TLPT;
selecting the external testers, the internal testers or both;
preparing the scope specification document.
Where the TLPT authority considers that the initial composition of the control team and any subsequent changes to it are adequate for the performance of the tasks referred to in paragraph 4, the TLPT authority shall validate the control team and notify the control team lead thereof.
The financial entity shall submit a scope specification document containing all information set out in Annex II to the test managers within 6 months from the receipt of the notification from the TLPT authority referred to in paragraph 1. The management body of the financial entity shall approve the scope specification document.
Financial entities shall consider the following criteria for the inclusion of critical or important functions into the scope of the TLPT:
the criticality or importance of the function and its possible impact on the financial sector and on financial stability at Union and national level;
the importance of the function for the day-to-day business operations of the financial entity;
the exchangeability of the function;
the interconnectedness with other functions;
the geographical location of the function;
the sectoral dependence of other entities on the function;
where available, threat intelligence concerning the function.
The control team shall share the TLPT initiation information and the scope specification document with the testers and threat intelligence providers once those are contracted. The control team shall inform the testers and threat intelligence providers about the testing process to be followed.
The financial entity shall ensure that the procurement or assignment of testers and threat intelligence providers is completed prior to the initiation of the testing phase.
Prior to the initiation of the testing phase, the control team shall consult the test managers on the TLPT risk assessment and on the risk management measures. The control team shall review the risk assessment or the risk management measures where the TLPT authority is of the opinion that they do not adequately address the risks of the TLPT.
The control team shall assess the compliance of threat intelligence providers and testers they consider involving in the TLPT with the requirements laid down in Article 27 of Regulation (EU) 2022/2554 and with Article 7(1) of this Regulation, and document the outcome of that assessment. The control team shall select threat intelligence providers in accordance with that assessment and with its risk management practices. Prior to contracting the selected threat intelligence providers and external testers, the control team shall provide to the test managers evidence of compliance of those threat intelligence providers and testers with the requirements laid down in Article 27 of Regulation (EU) 2022/2554 and with Article 7(1) of this Regulation. The control team shall not proceed with contracting the selected threat intelligence providers and external testers where the TLPT authority is of the opinion that the selected threat intelligence providers and external testers do not comply with the requirements laid down in Article 27 of Regulation (EU) 2022/2554, or with the requirements laid down in Article 7(1) of this Regulation or with additional requirements stemming from national security legislations in accordance with Union law, or where the financial entity does not comply with Article 7(2), first subparagraph, of this Regulation, or where the circumstances referred to in Article 7(2), second subparagraph, of this Regulation are not met.
Where the scope specification document is complete and ensures the performance of an appropriate and effective TLPT, the TLPT authority shall approve that document and inform the control team lead thereof.
Relevant recitals
Recital 7 Skills and capabilities of test managers
To mirror the TIBER-EU framework methodology, test managers should have the skills and capabilities necessary to provide advice and to challenge tester proposals. Experience under the TIBER-EU framework has proven that it is valuable to have a team of at least two test managers assigned to each test. To reflect that the TLPT is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authorities are strongly encouraged to consider that, for the duration of a TLPT, test managers should not conduct supervisory activities on the same financial entity undergoing a TLPT.
Recital 8 Involvement of TLPT authorities in the phases
It is important, for consistency with the TIBER-EU framework, that the TLPT authority closely follows the testing in each of its stages. Considering the nature of the testing and the risks associated to it, it is fundamental that the TLPT authority is involved in each specific phase of the testing. In particular, the TLPT authority should be consulted and should validate those assessments or decisions of the financial entities that may, on the one hand, influence the effectiveness of the test and, on the other hand, have an impact on the risks associated with the test. The fundamental steps on which a specific involvement of the TLPT authority is necessary include the validation of certain fundamental documentation of the testing, and the selection of threat intelligence providers and testers and risk management measures. The involvement of the TLPT authorities, and in particular for validations, should not result in an excessive burden for those authorities and should therefore be limited to those documentation and decisions that directly affect the conduct of the TLPT. Through the active participation in each phase of the testing, the TLPT authorities may effectively assess compliance of the financial entities with the relevant requirements, which should allow those authorities to issue attestations pursuant to Article 26(7) of Regulation (EU) 2022/2554.
Recital 10 Importance of the control team lead
As evidenced through the experience gathered in the TIBER-EU framework with respect to the ‘control team’, the selection of an adequate control team lead is indispensable for the safe conduct of TLPT. The control team lead should have the necessary mandate within the financial entity to guide all the aspects of the testing, without compromising its confidentiality. For the same reason, members of the control team should have a deep knowledge of the financial entity, of the control team lead’s job role and strategic positioning, should have the required seniority and should have access to the management board. To reduce the risk of compromising the TLPT, the control team should be as small as possible.
Recital 15 Regular meetings involving all stakeholders
As evidenced by the experience of the implementation of the TIBER-EU framework, holding in-person or virtual meetings including all stakeholders concerned (financial entities, authorities, testers and threat intelligence providers) is the most efficient way to ensure the appropriate conduct of the testing. In-person and virtual meetings should therefore be held at various steps of the process, and in particular during the preparation phase at the launch of the TLPT and to finalise on its scope, during the testing phase, to finalise the threat intelligence report and the red team test plan and for the weekly updates, and during the closure phase for replaying testers and blue team actions, purple teaming and to exchange feedback on the TLPT.
Recital 16 Communication between test manager and control team
To ensure the smooth performance of the TLPT, the TLPT authority should clearly present to the financial entity its expectations with respect to the testing. In that respect, the test managers should ensure that an appropriate flow of information is established with the control team within the financial entity, and with the TLPT providers.
Recital 17 Selection of critical or important functions
The financial entity should select the critical or important functions that will be in scope of the TLPT. When selecting those functions, the financial entity should base itself on various criteria relating to the importance of each function for the financial entity itself and for the financial sector, at Union and at national level, not only in economic terms but also considering the symbolic or political status of the function. To facilitate a smooth transition to the phase of threat intelligence gathering, the control team should provide the testers and threat intelligence provider that are not involved in the scoping process with detailed information on the agreed scoping.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;