Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 13 Remediation plan
Summary What does Article 13 of the RTS on threat-led penetration testing say?
This article deals with the post-testing remediation obligations that follow the conclusion of a TLPT.
Building directly on Article 12, which covers the reporting phase, Article 13 sets out what financial entities must do once they have received the TLPT authority's notification regarding the test reports.
The article requires financial entities to produce and submit remediation plans, and specifies in considerable detail what those plans must contain for each finding identified during the TLPT.
Important points:
- Within 8 weeks of the notification from Article 12(7), submit remediation plans and supporting documentation to both the TLPT authority and, where applicable, the competent authority.
- Ensure each remediation plan addresses every TLPT finding and covers the identified shortcomings, proposed measures with prioritisation and expected completion, a root cause analysis, and the staff or functions responsible for implementation.
- The plan must also set out the risks of not implementing the proposed remediation measures, and where relevant, the risks associated with implementing them.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Within 8 weeks from the notification referred to in Article 12(7) of this Regulation, the financial entity shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authority and, where different, to the financial entity’s competent authority.
The remediation plan referred in paragraph 1 shall include, for each finding occurred in the framework of the TLPT:
a description of the identified shortcomings;
a description of the proposed remediation measures and of their prioritisation and expected completion, including, where relevant, measures to improve the identification, protection, detection and response capabilities;
a root cause analysis;
the financial entity’s staff or functions responsible for the implementation of the proposed remediation measures or improvements;
the risks associated to not implementing the measures referred to in point (b) and, where relevant, risks associated to the implementation of such measures.
Relevant recitals
Recital 26 Cooperation between the TLPT and supervisory authorities
The competent authorities referred to in Article 46 of Regulation (EU) 2022/2554 and TLPT authorities, where different, should cooperate to incorporate advanced testing by means of TLPT into the existing supervisory processes. In that respect and to share the correct understanding of the TLPT findings and of how they should be interpreted, it is appropriate that, in particular for the test summary report and remediation plans, a close cooperation between test managers who were involved in the TLPT and the responsible supervisors is established.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
public authority
Definition
test managers