Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 6 Risk management for pooled or joint TLPTs
Summary What does Article 6 of the RTS on threat-led penetration testing say?
This article addresses a specific scenario that arises out of the broader TLPT framework: what happens when multiple financial entities are involved in the same test, either through a joint TLPT or a pooled TLPT.
It establishes that while each financial entity retains individual responsibility for its own risk assessment and risk management measures, there is also a collective layer of risk management that must be addressed.
The designated lead financial entity takes on the additional responsibility of assessing the risks that arise from the multi-entity nature of the test, and all involved control teams are required to cooperate with it to identify risks that span across the group.
Important points:
- Each financial entity in a joint or pooled TLPT must conduct its own independent risk assessment and establish its own risk management measures.
- The control team of the designated lead financial entity is responsible for assessing the risks specific to having multiple financial entities involved in the same TLPT.
- All other control teams involved in the test are required to cooperate with the designated lead financial entity's control team to identify potential joint risks.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
In the case of a joint TLPT or a pooled TLPT, the control team of each financial entity shall conduct its own risk assessment and establish its own risk management measures.
The control team of the designated financial entity referred to in Article 16(3), point (b), of this Regulation, or the financial entity designated in accordance with Article 26(4) of Regulation (EU) 2022/2554, shall assess the risks relating to the involvement in the TLPT of multiple financial entities. The control teams of the involved financial entities shall cooperate with the control team of the designated financial entity to identify potential joint risks.
Relevant recitals
Recital 11 Managing inherent risks of a TLPT
There are inherent elements of risks associated with TLPT as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data. Those risks highlight the need for robust risk management measures. To ensure that the TLPT is conducted in a controlled manner all along the testing, it is very important that financial entities are at all points aware of the particular risks that arise in a TLPT and that those risk are mitigated. In that respect, without prejudice to the internal processes of the financial entity and the responsibility and delegations already provided to the control team lead, information about the TLPT risk management measures, or, in particular cases the approval of those risk management measures by the financial entity’s management body itself, may be appropriate. To be able to deliver effective and most qualified professional services and to reduce those risks, it is also essential that the testers and threat intelligence providers (together, the TLPT providers) have the highest level of skills, expertise, and an appropriate experience in threat intelligence and TLPT in the financial services industry.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
joint TLPT
Definition
subsidiary
Definition
TLPT providers
Definition
control team
Definition
network and information system
Definition
cyber threat
Definition
threat intelligence
Definition
cyber-attack
Definition
threat intelligence provider
Definition
management body
Definition
group
Definition
ICT intra-group service provider
Definition
parent undertaking
Definition
ICT services
Definition
ICT-related incident
Definition
control team lead