Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 3 TCT and TLPT Test Managers
A TLPT authoritymeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall assign the responsibility for coordinating TLPT-related activities to a TCT. A TCT shall be composed of test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; that are assigned to oversee an individual TLPT.
For each test, the TLPT authoritymeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall designate a test manager and at least one alternate.
The test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; shall monitor whether, and ensure that, the requirements laid down in this Regulation are complied with.
The test manager shall communicate the contact details of the TCT to the financial entity through the notification referred to in Article 9(1).
The TLPT authoritymeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall participate to all the phases of the TLPT.
Relevant recitals
Recital 6 Responsibility of TLPT cyber teams in line with TIBER-EU
To ensure that the TLPT benefits from the experience developed in the framework of TIBER-EU implementation and to reduce the risks associated to the performance of TLPT, it should be ensured that the responsibilities of the TLPT cyber teamsor ‘TCT’ means the staff within the TLPT authorities that is responsible for TLPT-related matters; to be set up at the level of TLPT authoritiesmeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; match as closely as possible those of the TIBER-EU cyber teams. Hence, the TLPT cyber teamsor ‘TCT’ means the staff within the TLPT authorities that is responsible for TLPT-related matters; should have test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; that are responsible for overseeing individual TLPTs and for planning and coordinating individual tests. TLPT cyber teamsor ‘TCT’ means the staff within the TLPT authorities that is responsible for TLPT-related matters; should serve as a single point of contact for test-related communication to internal and external stakeholders, for collecting and processing feedback and lessons learned from previously conducted tests, and for supporting financial entities undergoing TLPT testing.
Recital 7 Skills and capabilities of test managers
To mirror the TIBER-EU framework methodology, test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; should have the skills and capabilities necessary to provide advice and to challenge tester proposals. Experience under the TIBER-EU framework has proven that it is valuable to have a team of at least two test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; assigned to each test. To reflect that the TLPT is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authoritiesmeans any of the following:the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; are strongly encouraged to consider that, for the duration of a TLPT, test managersmeans staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation; should not conduct supervisory activities on the same financial entity undergoing a TLPT.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.