Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 13 Remediation plan
Within 8 weeks from the notification referred to in Article 12(7) of this Regulation, the financial entity shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authoritymeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; and, where different, to the financial entity’s competent authority.
The remediation plan referred in paragraph 1 shall include, for each finding occurred in the framework of the TLPT:
a description of the identified shortcomings;
a description of the proposed remediation measures and of their prioritisation and expected completion, including, where relevant, measures to improve the identification, protection, detection and response capabilities;
a root cause analysis;
the financial entity’s staff or functions responsible for the implementation of the proposed remediation measures or improvements;
the risks associated to not implementing the measures referred to in point (b) and, where relevant, risks associated to the implementation of such measures.
Relevant recitals
Recital 26 Cooperation between the TLPT and supervisory authorities
The competent authorities referred to in Article 46 of Regulation (EU) 2022/2554 and TLPT authoritiesmeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;, where different, should cooperate to incorporate advanced testing by means of TLPT into the existing supervisory processes. In that respect and to share the correct understanding of the TLPT findings and of how they should be interpreted, it is appropriate that, in particular for the test summary report and remediation plans, a close cooperation between test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; who were involved in the TLPT and the responsible supervisors is established.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.