Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 15 Use of internal testers
Summary What does Article 15 of the RTS on threat-led penetration testing say?
This article sets out the rules governing the use of internal testers when conducting a TLPT.
Rather than simply permitting or prohibiting internal testers, the article conditions their use on a series of specific organisational arrangements that financial entities must have in place.
These cover the need for a formal policy, safeguards to protect the entity's broader defensive capabilities during the test, and minimum team composition and employment tenure requirements.
The article also connects to Article 7(1) of this Regulation, which sets out tester requirements that the TLPT authority must consider when approving the use of internal testers, and to Article 27(2)(a) of DORA, which governs that approval itself.
Notably, testers from an ICT intra-group service provider are treated as internal testers for these purposes.
Important points:
- Establish a formal, documented, and periodically reviewed policy for managing internal testers, covering suitability, competence, conflicts of interest, team composition (a test lead plus at least two members), a 12-month employment requirement, and training provisions.
- Ensure that using internal testers does not negatively impact the entity's defensive or resilience capabilities or the availability of resources for ICT-related tasks during the TLPT.
- Disclose the use of internal testers in the test initiation information, the red team test report, and the TLPT summary findings report.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall establish all of the following arrangements for the use of internal testers:
the establishment and implementation of a policy for the management of internal testers in a TLPT;
measures to ensure that the use of internal testers to perform a TLPT does not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidents or significantly impacts the availability of resources devoted to ICT-related tasks during a TLPT;
measures to ensure that internal testers have sufficient resources and capabilities to perform a TLPT.
The policy referred to in point (a) shall:
contain criteria to assess suitability, competence, potential conflicts of interest of the internal testers and specify management responsibilities in the testing process;
be documented and periodically reviewed;
provide that the internal testing team includes a test lead, and at least two additional members;
require that all members of the test team have been employed by the financial entity or by an ICT intra-group service provider for the preceding 12 months;
include provisions on training on how to perform penetration testing and red team testing of the internal testers.
Where a TLPT authority approves the use of internal testers in accordance with Article 27(2), point (a), of Regulation (EU) 2022/2554, the TLPT authority shall consider the requirements laid down in Article 7(1) of this Regulation.
When using internal testers, the financial entity shall ensure that such use is mentioned in the following documents:
the test initiation information referred to in Article 9;
the red team test report referred to in Article 12(2);
the report summarising the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554.
Testers employed by an ICT intra-group service provider shall be considered as internal testers of the financial entity.
Relevant recitals
Recital 12 Comprehensive criteria for TLPT providers
Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but unlike intelligence led red team test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providers, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red team tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence providers, always external. Where the TLPT providers belong to the same company, the staff assigned to a TLPT should be adequately separated.
Recital 13 Exemptions from TLPT provider criteria
There may be exceptional circumstances where financial entities are unable to contract TLPT providers that meet the comprehensive criteria. Financial entities, upon evidencing the unavailability of such threat intelligence providers, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks and that the TLPT authority assesses all those criteria.
Recital 27 Mix of internal and external testers considered 'internal'
Article 26(8), first subparagraph, of Regulation (EU) 2022/2554 requires from financial entities that they contract external testers every three tests. Where financial entities include in the team of testers both internal and external testers, that should be considered as a TLPT performed with internal testers for the purposes of that Article.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
subsidiary
Definition
TLPT providers
Definition
network and information system
Definition
cyber threat
Definition
threat intelligence
Definition
cyber-attack
Definition
threat intelligence provider
Definition
vulnerability
Definition
group
Definition
ICT intra-group service provider
Definition
red team
Definition
public authority
Definition
parent undertaking
Definition
ICT services
Definition
ICT-related incident