Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 4 Organisational arrangements for financial entities
Summary What does Article 4 of the RTS on threat-led penetration testing say?
This article sets out the internal governance requirements that financial entities must put in place to manage a TLPT properly.
It establishes a clear leadership role in the form of a control team lead, who is accountable for the day-to-day running of the test and the actions of the wider control team.
Beyond that single point of accountability, the article focuses heavily on the operational discipline required to protect the integrity of the test, particularly around secrecy, information access, and escalation management.
It connects closely to the broader TLPT framework by defining how the financial entity organises itself internally to interact with testers, threat intelligence providers, and the TLPT authority throughout the process.
Important points:
- Appoint a control team lead to take responsibility for the day-to-day management of the TLPT and the decisions of the control team.
- Establish organisational and procedural measures to strictly control access to TLPT information on a need-to-know basis, maintain secrecy across all involved parties, and ensure the control team can contain any accidental detection of the test.
- The control team must consult test managers before involving any blue team member in the TLPT, and must provide information to test managers upon request.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall appoint a control team lead which shall be responsible for the day-to-day management of the TLPT and the decisions and actions of the control team.
Financial entities shall establish organisational and procedural measures to ensure that:
access to information pertaining to any planned or ongoing TLPT is limited on a need-to-know basis to the control team, the management body, the testers, the threat intelligence provider and the TLPT authority;
the control team consults the test managers prior to involving any member of the blue team in a TLPT;
the control team is informed of any detection of the TLPT by staff members of the financial entity or of its third-party service providers; in case of escalation of the resulting incident response, where needed, the control team contains such escalation;
arrangements relating to the secrecy of the TLPT, applicable to staff of the financial entity, to the staff of the ICT third party service providers concerned, to testers and to the threat intelligence provider are in place;
the control team provides any information pertaining to the TLPT to the test managers upon request;
where possible, parties involved in the TLPT refer to it by code name only.
Relevant recitals
Recital 5 Organisational mirror of TIBER-EU
To mirror the TIBER-EU framework, it is necessary that the testing methodology provides for the involvement of the following main participants: the financial entity, with a control team (mirroring the TIBER-EU ‘control team’) and a blue team (mirroring the TIBER-EU ‘blue team’), and the TLPT authority, in the form of a TLPT cyber team (mirroring the TIBER-EU ‘TIBER cyber teams’), a threat intelligence provider, and testers (whereby the testers mirror the TIBER-EU ‘red team provider’).
Recital 9 Secrecy of the TLPT
The secrecy of TLPT is of utmost importance to ensure that the conditions of the testing are realistic. For that reason, testing should be covert, and precautions should be taken to keep the TLPT confidential, including the choice of codenames that should be designed to prevent the identification of the TLPT by third parties. Should staff members responsible for the security of the financial team be aware of a planned or ongoing TLPT, it is likely that they would be more observant and alert than during normal working conditions, thereby resulting in an altered outcome of the testing. Staff members of the financial entity outside of the control team should therefore only be made aware of any planned or ongoing TLPT where there are cogent reasons and subject to the prior agreement of the test managers, inter alia to ensure the secrecy of the test in case a blue team member has detected the testing.
Recital 10 Importance of the control team lead
As evidenced through the experience gathered in the TIBER-EU framework with respect to the ‘control team’, the selection of an adequate control team lead is indispensable for the safe conduct of TLPT. The control team lead should have the necessary mandate within the financial entity to guide all the aspects of the testing, without compromising its confidentiality. For the same reason, members of the control team should have a deep knowledge of the financial entity, of the control team lead’s job role and strategic positioning, should have the required seniority and should have access to the management board. To reduce the risk of compromising the TLPT, the control team should be as small as possible.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
subsidiary
Definition
TLPT Cyber Team
Definition
control team
Definition
network and information system
Definition
blue team
Definition
cyber threat
Definition
threat intelligence
Definition
cyber-attack
Definition
threat intelligence provider
Definition
management body
Definition
group
Definition
ICT intra-group service provider
Definition
red team
Definition
public authority
Definition
parent undertaking
Definition
test managers
Definition
ICT services
Definition
ICT-related incident
Definition
control team lead