Source: OJ L, 2025/1190, 18.6.2025
ENRTS on threat-led penetration testing
Commission Delegated Regulation (EU) 2025/1190
of 13 February 2025
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council
with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition
Table of contents
Preamble 1 – 30Recitals
- Articles
- Article 1Definitions
- Article 2Identification of financial entities required to perform TLPT
- Article 3TCT and TLPT Test Managers
- Article 4Organisational arrangements for financial entities
- Article 5Risk management for TLPT
- Article 6Risk management for pooled or joint TLPTs
- Article 7Selection of TLPT providers
- Article 8Specificities for pooled or joint TLPTs
- Article 9Preparation phase
- Article 10Testing phase: threat intelligence
- Article 11Testing phase: red team test
- Article 12Closure phase
- Article 13Remediation plan
- Article 14Attestation
- Article 15Use of internal testers
- Article 16Cooperation and mutual recognition
- Article 17Entry into force
- Annexes
- Annex IContent of the project charter (Article 9(2)(a))
- Annex IIContent of the scope specification document (Article 9(6))
- Annex IIIContent of the targeted threat intelligence report (Article 10(5))
- Annex IVContent of the red team test plan (Article 11(1))
- Annex VContent of the red team test report (Article 12(2))
- Annex VIContent of the blue team test report (Article 12(4))
- Annex VIIDetails of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554
- Annex VIIIDetails of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554