Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Recital 56 Regular security testing of ICT systems and staff

In order to achieve a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, and in line with both the relevant international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) and with the frameworks applied in the Union, such as the TIBER-EU, financial entitiesas defined in Article 2, points (a) to (t) should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;. To reflect differences that exist across, and within, the various financial subsectors as regards financial entitiesas defined in Article 2, points (a) to (t)’ level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software means the part of an electronic information system which consists of computer code; solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Such advanced testing should be required only of financial entitiesas defined in Article 2, points (a) to (t) that are mature enough from an ICT perspective to reasonably carry it out. The digital operational resilience testingas defined in Article 24 required by this Regulation should thus be more demanding for those financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation (for example, large, systemic and ICT-mature credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., stock exchanges, central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; and central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;) than for other financial entitiesas defined in Article 2, points (a) to (t). At the same time, the digital operational resilience testingas defined in Article 24 by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be more relevant for financial entitiesas defined in Article 2, points (a) to (t) operating in core financial services subsectors and playing a systemic role (for example, payments, banking, and clearing and settlement), and less relevant for other subsectors (for example, asset managers and credit rating agencies means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009;).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod