Article 12 Closure phase

Summary What does Article 12 of the RTS on threat-led penetration testing say?

Article 12 governs the post-testing phase of a TLPT, picking up directly where Article 11 leaves off once the active red team testing phase has concluded.

It sets out a structured sequence of reporting, collaborative review, and feedback obligations that must be completed before the TLPT can be formally closed out.

The article moves the process from covert attack simulation into an open, collaborative phase — revealing the test to the blue team, exchanging reports between all parties, conducting a purple teaming exercise, and ultimately submitting a summary report to the TLPT authority for approval.

Important points:

The blue team must be informed that a TLPT took place, then produce its own report within 10 weeks of the end of the active testing phase — mirroring the red team report which testers must submit within 4 weeks.
Conduct a purple teaming exercise no later than 10 weeks after the active testing phase, replaying offensive and defensive actions and addressing vulnerabilities identified during the test.
Submit a summary report of the TLPT's relevant findings to the TLPT authority for approval within 8 weeks of the authority confirming that both the red team and blue team reports are complete.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Following the end of the active red team testing phase, the control team lead shall inform the blue team that a TLPT took place.
1. Within 4 weeks from the end of the active red team testing phase, the testers shall submit to the control team a red team test report containing the information set out in Annex V.
1. The control team shall provide the red team test report to the blue team and test managers without undue delay.
2. At the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.
1. Upon receipt of the red team test report, and no later than 10 weeks after the end of the active red team testing phase, the blue team shall submit to the control team a blue team test report containing the information set out in Annex VI. The control team shall provide the blue team test report to the testers and the test managers without undue delay.
2. At the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.
1. No later than 10 weeks after the end of the active red team testing phase, the blue team and the testers shall replay the offensive and defensive actions performed during the TLPT. The control team shall also conduct a purple teaming exercise on topics jointly identified by the blue team and the testers, based on vulnerabilities identified during the test and, where relevant, on issues that could not be tested during the active red team testing phase.
1. After completion of the replay and purple teaming exercises, the control team, the blue team, the testers, and threat intelligence providers shall provide feedback to each other on the TLPT process. The test managers may provide feedback.
1. Once the TLPT authority has notified the control team lead that it has assessed that the blue team test report and the red team test report contain the information set out in Annexes V and VI, the financial entity shall within 8 weeks submit the report summarising the relevant findings of the TLPT to the TLPT authority, as referred to in Article 26(6) of Regulation (EU) 2022/2554, containing the elements set out in Annex VII for approval.
2. At the request of the TLPT authority, the report referred to in the first subparagraph shall not contain sensitive information.

Relevant recitals

Recital 8 Involvement of TLPT authorities in the phases

It is important, for consistency with the TIBER-EU framework, that the TLPT authority closely follows the testing in each of its stages. Considering the nature of the testing and the risks associated to it, it is fundamental that the TLPT authority is involved in each specific phase of the testing. In particular, the TLPT authority should be consulted and should validate those assessments or decisions of the financial entities that may, on the one hand, influence the effectiveness of the test and, on the other hand, have an impact on the risks associated with the test. The fundamental steps on which a specific involvement of the TLPT authority is necessary include the validation of certain fundamental documentation of the testing, and the selection of threat intelligence providers and testers and risk management measures. The involvement of the TLPT authorities, and in particular for validations, should not result in an excessive burden for those authorities and should therefore be limited to those documentation and decisions that directly affect the conduct of the TLPT. Through the active participation in each phase of the testing, the TLPT authorities may effectively assess compliance of the financial entities with the relevant requirements, which should allow those authorities to issue attestations pursuant to Article 26(7) of Regulation (EU) 2022/2554.

Recital 15 Regular meetings involving all stakeholders

As evidenced by the experience of the implementation of the TIBER-EU framework, holding in-person or virtual meetings including all stakeholders concerned (financial entities, authorities, testers and threat intelligence providers) is the most efficient way to ensure the appropriate conduct of the testing. In-person and virtual meetings should therefore be held at various steps of the process, and in particular during the preparation phase at the launch of the TLPT and to finalise on its scope, during the testing phase, to finalise the threat intelligence report and the red team test plan and for the weekly updates, and during the closure phase for replaying testers and blue team actions, purple teaming and to exchange feedback on the TLPT.

Recital 16 Communication between test manager and control team

To ensure the smooth performance of the TLPT, the TLPT authority should clearly present to the financial entity its expectations with respect to the testing. In that respect, the test managers should ensure that an appropriate flow of information is established with the control team within the financial entity, and with the TLPT providers.

Recital 24 Maximising the learning experience

The TLPT should be used as a learning experience to enhance the digital operational resilience of financial entities. In that respect, the blue team and testers should replay the attack and review the steps taken to learn from the testing experience in collaboration with the testers. For that purpose and to allow for adequate preparation, the red team test report and the blue team test report should be made available to all parties involved in the replay activities, prior to conducting any replay activities. Additionally, a purple teaming exercise, in the closure phase, should be carried out to maximise the learning experience. Methods that may be used for purple teaming in the closure phase should include discussions of alternative attack scenarios, exploration on live systems of alternative scenarios or the re-exploration of planned scenarios on live systems that the testers had been unable to complete or execute during the testing phase.

Recital 25 Mutual feedback

To further facilitate the learning experience of all parties involved in the TLPT, for the benefit of future tests, and to further the digital operational resilience of financial entities, the parties concerned should provide feedback to each other on the overall process, and in particular identify which activities progressed well or could have been improved, and which aspects of the TLPT process worked well or could be improved.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.