Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 7 Selection of TLPT providers
Summary What does Article 7 of the RTS on threat-led penetration testing say?
This is a detailed and notably granular article that sits at the heart of the regulation's quality assurance framework for TLPT providers.
Building on the broader risk management obligations established in Articles 5 and 6, Article 7 sets out the specific due diligence and conduct requirements that the control team must enforce when engaging external testers and threat intelligence providers.
It covers the vetting of credentials and experience, conflict of interest requirements, mandatory post-test restoration procedures, and a list of prohibited activities.
It also contains a limited exception allowing non-compliant providers to be used in exceptional circumstances, provided mitigating measures are adopted and recorded.
Important points:
- Ensure external testers and threat intelligence providers meet strict qualification standards, including minimum years of experience, reference requirements, professional indemnity insurance, and separation from blue team activities to avoid conflicts of interest.
- Require testers and threat intelligence providers to carry out full restoration procedures after testing, covering removal of malware, deactivation of command and control infrastructure, and secure deletion of compromised credentials.
- In exceptional circumstances, financial entities may engage providers that do not meet the requirements, but must adopt and record appropriate measures to mitigate the associated risks.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The control team shall take measures to manage the risks relating to the TLPT and shall in particular ensure that, for each TLPT:
the threat intelligence provider and external testers provide the control team with a detailed curriculum vitae and copies of certifications that, according to recognised market standards, are appropriate for the performance of their activities;
the threat intelligence provider and external tester are duly and fully covered by proper professional indemnity insurances including against risks of misconduct and negligence;
the threat intelligence provider provides at least three references from previous assignments in the context of penetration testing and red team testing;
the external testers provide at least five references from previous assignments related to penetration testing and red team testing;
the staff of the threat intelligence provider assigned to the TLPT:
is composed of at least a manager with at least 5 years’ experience in threat intelligence and at least one additional member with at least 2 years’ experience in threat intelligence;
display a broad range and appropriate level of professional knowledge and skills, including:
intelligence gathering tactics, techniques and procedures;
geopolitical, technical and sectorial knowledge;
adequate communication skills to clearly present and report on the result of the engagement;
has a combined participation in at least three previous assignments in threat intelligence in the context of penetration testing and red team testing;
does not simultaneously perform any blue team tasks or other services that may present a conflict of interest with respect to the financial entity, ICT third-party service provider or an ICT intra-group service provider involved in TLPT to which they are assigned;
is separated from and not reporting to staff of the same TLPT provider providing external testers for the same TLPT;
for external testers, the red team assigned to the TLPT:
is composed of at least a manager, with at least 5 years of experience in penetration testing and red team testing as well as at least two additional testers, each with penetration testing and red team testing of at least 2 years;
displays a broad range and appropriate level of professional knowledge and skills, including knowledge about the business of the financial entity, reconnaissance, risk management, exploit development, physical penetration, social engineering, vulnerability analysis, as well as adequate communication skills to clearly present and report on the result of the engagement;
has a combined participation in at least five previous assignments related to penetration testing and red team testing;
is not employed by, nor provides services to, a threat intelligence provider that simultaneously performs blue team tasks for either a financial entity, an ICT third-party service provider, or an ICT intra-group service provider that is involved in the TLPT;
is separated from any staff of the same TLPT provider that simultaneously provides threat-intelligence services for the same TLPT;
the testers and the threat intelligence provider carry out restoration procedures at the end of testing, including secure deletion of information related to passwords, credentials, and other secret keys compromised during the TLPT, secure communication to the financial entities of the accounts compromised, secure collection, storage, management, and disposal of other data collected during testing;
testers, in addition to the restoration procedures at the end of testing as referred to in point (g), carry out the following restoration procedures:
command and control deactivation;
scope and date kill switches;
removal of backdoors and other malware;
potential breach notification;
procedures for future back-up restoration which may concern malware or tools installed during the test;
monitoring of the blue team activities and informing the control team of any possible detections;
testers and the threat intelligence provider do not perform, or participate in, any of the following activities:
unauthorised destruction of equipment of the financial entity and of its ICT third-party service providers, if any;
uncontrolled modification of information and ICT assets of the financial entity and of its ICT third-party service providers, if any;
intentionally compromising the continuity of critical or important functions of the financial entity;
unauthorised inclusion of out-of-scope systems;
unauthorised disclosure of test results.
The control team shall keep record of the documentation provided by the testers and the threat intelligence providers to evidence compliance with paragraph 1, points (a) to (f).
In exceptional circumstances, financial entities may contract external testers and threat intelligence providers that do not meet one or more of the requirements set out in paragraph 1, points (a) to (f), provided that those financial entities adopt measures that are appropriate to mitigate the risks relating to the lack of compliance with such points and record those measures.
Relevant recitals
Recital 12 Comprehensive criteria for TLPT providers
Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but unlike intelligence led red team test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providers, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red team tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence providers, always external. Where the TLPT providers belong to the same company, the staff assigned to a TLPT should be adequately separated.
Recital 13 Exemptions from TLPT provider criteria
There may be exceptional circumstances where financial entities are unable to contract TLPT providers that meet the comprehensive criteria. Financial entities, upon evidencing the unavailability of such threat intelligence providers, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks and that the TLPT authority assesses all those criteria.
Recital 27 Mix of internal and external testers considered 'internal'
Article 26(8), first subparagraph, of Regulation (EU) 2022/2554 requires from financial entities that they contract external testers every three tests. Where financial entities include in the team of testers both internal and external testers, that should be considered as a TLPT performed with internal testers for the purposes of that Article.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
ICT asset
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
subsidiary
Definition
TLPT providers
Definition
control team
Definition
network and information system
Definition
blue team
Definition
cyber threat
Definition
threat intelligence
Definition
cyber-attack
Definition
threat intelligence provider
Definition
vulnerability
Definition
group
Definition
ICT intra-group service provider
Definition
red team
Definition
public authority
Definition
blue team tasks
Definition
parent undertaking
Definition
ICT services
Definition
ICT-related incident
Definition
critical or important function