Source: OJ L, 2025/1190, 18.6.2025

Current language: EN

Article 13 Remediation plan


Summary What does Article 13 of the RTS on threat-led penetration testing say?

This article deals with the post-testing remediation obligations that follow the conclusion of a TLPT.

Building directly on Article 12, which covers the reporting phase, Article 13 sets out what financial entities must do once they have received the TLPT authority's notification regarding the test reports.

The article requires financial entities to produce and submit remediation plans, and specifies in considerable detail what those plans must contain for each finding identified during the TLPT.

Important points:

  • Within 8 weeks of the notification from Article 12(7), submit remediation plans and supporting documentation to both the TLPT authority and, where applicable, the competent authority.
  • Ensure each remediation plan addresses every TLPT finding and covers the identified shortcomings, proposed measures with prioritisation and expected completion, a root cause analysis, and the staff or functions responsible for implementation.
  • The plan must also set out the risks of not implementing the proposed remediation measures, and where relevant, the risks associated with implementing them.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Within 8 weeks from the notification referred to in Article 12(7) of this Regulation, the financial entity shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authority and, where different, to the financial entity’s competent authority.

    1. The remediation plan referred in paragraph 1 shall include, for each finding occurred in the framework of the TLPT:

      1. a description of the identified shortcomings;

      2. a description of the proposed remediation measures and of their prioritisation and expected completion, including, where relevant, measures to improve the identification, protection, detection and response capabilities;

      3. a root cause analysis;

      4. the financial entity’s staff or functions responsible for the implementation of the proposed remediation measures or improvements;

      5. the risks associated to not implementing the measures referred to in point (b) and, where relevant, risks associated to the implementation of such measures.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod