Article 14 Attestation

Summary What does Article 14 of the RTS on threat-led penetration testing say?

This short article deals with the formal attestation that concludes a TLPT, as required under Article 26(7) of DORA.

It specifies what that attestation must contain by directing readers to Annex VIII, and it clarifies who is responsible for issuing it in scenarios where multiple TLPT authorities have been involved in the same test — a situation that arises in joint or pooled TLPTs governed by Article 16 of this regulation.

Important points:

The attestation issued at the end of a TLPT must contain the information set out in Annex VIII.
Where multiple TLPT authorities have been involved in a TLPT, the lead TLPT authority is responsible for issuing the attestation to the tested financial entities.
This article directly connects to DORA Article 26(7), which is the legal basis requiring the attestation in the first place.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. L’attestation visée à l’article 26, paragraphe 7, du règlement (UE) 2022/2554 contient les informations prévues à l’annexe VIII.
1. Lorsque plusieurs autorités TIFM ont participé à un TIFM, l’autorité TIFM chef de file fournit l’attestation visée à l’article 26, paragraphe 7, du règlement (UE) 2022/2554 aux entités financières testées.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.