Source: OJ L, 2025/1190, 18.6.2025
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 13 Remediation plan
Within 8 weeks from the notification referred to in Article 12(7) of this Regulation, the financial entity shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authoritymeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; and, where different, to the financial entity’s competent authority.
The remediation plan referred in paragraph 1 shall include, for each finding occurred in the framework of the TLPT:
a description of the identified shortcomings;
a description of the proposed remediation measures and of their prioritisation and expected completion, including, where relevant, measures to improve the identification, protection, detection and response capabilities;
a root cause analysis;
the financial entity’s staff or functions responsible for the implementation of the proposed remediation measures or improvements;
the risks associated to not implementing the measures referred to in point (b) and, where relevant, risks associated to the implementation of such measures.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.