Art. 27 Requirements for testers for the carrying out of TLPT | DORA regulation |

1. Financial entitiesas defined in Article 2, points (a) to (t) shall only use testers for the carrying out of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, that:
  1. are of the highest suitability and reputability;
  2. possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;, penetration testing and red team testing;
  3. are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
  4. provide an independent assurance, or an audit report, in relation to the sound management of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the carrying out of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, including the due protection of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s confidential information and redress for the business risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;
  5. are duly and fully covered by relevant professional indemnity insurances, including against risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of misconduct and negligence.
1. When using internal testers, financial entitiesas defined in Article 2, points (a) to (t) shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:
  1. such use has been approved by the relevant competent authorityas defined in Article 46 or by the single public authority means any government or other public administration entity, including national central banks. designated in accordance with Article 26(9) and Article 26(10);
  2. the relevant competent authorityas defined in Article 46 has verified that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
  3. the threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider is external to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
1. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that contracts concluded with external testers require a sound management of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.