Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 3 TCT and TLPT Test Managers
Summary What does Article 3 of the RTS on threat-led penetration testing say?
This article establishes the internal structure that TLPT authorities must put in place to oversee and coordinate threat-led penetration testing.
It sets out the requirement for a dedicated TLPT Cyber Team (TCT), composed of test managers, to take responsibility for coordinating TLPT-related activities.
The article also makes clear that TLPT authority involvement is not merely administrative — it extends across all phases of a given test.
Important points:
- TLPT authorities are required to establish a TCT and designate a test manager, plus at least one alternate, for each individual TLPT.
- Test managers are responsible for monitoring and ensuring compliance with this Regulation throughout the testing process.
- TLPT authorities must participate in all phases of the TLPT, not just at the initiation or sign-off stage.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
A TLPT authority shall assign the responsibility for coordinating TLPT-related activities to a TCT. A TCT shall be composed of test managers that are assigned to oversee an individual TLPT.
For each test, the TLPT authority shall designate a test manager and at least one alternate.
The test managers shall monitor whether, and ensure that, the requirements laid down in this Regulation are complied with.
The test manager shall communicate the contact details of the TCT to the financial entity through the notification referred to in Article 9(1).
The TLPT authority shall participate to all the phases of the TLPT.
Relevant recitals
Recital 6 Responsibility of TLPT cyber teams in line with TIBER-EU
To ensure that the TLPT benefits from the experience developed in the framework of TIBER-EU implementation and to reduce the risks associated to the performance of TLPT, it should be ensured that the responsibilities of the TLPT cyber teams to be set up at the level of TLPT authorities match as closely as possible those of the TIBER-EU cyber teams. Hence, the TLPT cyber teams should have test managers that are responsible for overseeing individual TLPTs and for planning and coordinating individual tests. TLPT cyber teams should serve as a single point of contact for test-related communication to internal and external stakeholders, for collecting and processing feedback and lessons learned from previously conducted tests, and for supporting financial entities undergoing TLPT testing.
Recital 7 Skills and capabilities of test managers
To mirror the TIBER-EU framework methodology, test managers should have the skills and capabilities necessary to provide advice and to challenge tester proposals. Experience under the TIBER-EU framework has proven that it is valuable to have a team of at least two test managers assigned to each test. To reflect that the TLPT is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authorities are strongly encouraged to consider that, for the duration of a TLPT, test managers should not conduct supervisory activities on the same financial entity undergoing a TLPT.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
TLPT Cyber Team
Definition
TCT
Definition
public authority
Definition
test managers