Source: OJ L, 2025/1190, 18.6.2025Current language: EN
- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Article 8 Specificities for pooled or joint TLPTs
Summary What does Article 8 of the RTS on threat-led penetration testing say?
This article serves as a bridging provision that connects the general TLPT procedural steps (laid out in Articles 9 to 15) to the specific scenarios where multiple financial entities are involved in a joint or pooled TLPT.
It establishes two default rules: first, that each participating financial entity must individually follow the full procedural sequence, and second, that where multiple TLPT authorities are involved, any reference to "the TLPT authority" throughout Articles 9 to 15 should be read as referring to the lead TLPT authority.
Both rules can be displaced — the first by a decision of the lead TLPT authority, and the second by other provisions within the regulation itself.
Important points:
- Follow each procedural step in Articles 9 to 15 individually, even when participating in a joint or pooled TLPT, unless the lead TLPT authority decides otherwise.
- In joint or pooled TLPTs involving multiple TLPT authorities, the lead TLPT authority assumes the role of "the TLPT authority" for the purposes of Articles 9 to 15.
- This article directly links to Article 16, which governs how joint and pooled TLPTs are organised and how a lead TLPT authority is determined.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Unless otherwise decided by the lead TLPT authority, where several financial entities, identified in accordance with Article 16(2) or (4), are involved in a pooled or joint TLPT, each financial entity shall follow each of the steps set out in Articles 9 to 15.
Unless otherwise provided in this Regulation, where several TLPT authorities are involved in a joint TLPT or in a pooled TLPT, as referred to in Article 16(3) or 16(5), references in Articles 9 to 15 to the ‘TLPT authority’ shall be understood as a reference to the lead TLPT authority for such pooled or joint TLPT.
Relevant recitals
Recital 14 Multiple financial entities and TLPT authorities
Where several financial entities and several TLPT authorities are involved in a TLPT, the roles of all parties in the TLPT process should be specified to conduct the most efficient and safe test. For the purposes of pooled testing, specific requirements are necessary to specify the role of the designated financial entity, namely that it should be in charge of providing all necessary documentation to the lead TLPT authority and of monitoring the test process. The designated financial entity should also be in charge of the common aspects of the risk management assessment. Notwithstanding the role of the designated financial entity, the obligations of each financial entity participating to the pooled TLPT process should remain unaffected during the pooled test. The same principle should apply for joint TLPTs.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
joint TLPT
Definition
TLPT authority
- the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;
- the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;
- any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;
Definition
subsidiary
Definition
group
Definition
ICT intra-group service provider
Definition
public authority
Definition
parent undertaking
Definition
ICT services