Source: OJ L, 2025/1190, 18.6.2025
EN- Digital operational resilience in the financial sector
Digital operational resilience testing
- RTS on threat-led penetration testing
Annex V Content of the red team test report (Article 12(2))
The red team test report shall contain information on at least all of the following:
information on the performed attack, including:
the targeted critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; and identified ICT systems, processes and technologies supporting the critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, as identified in the red team test plan;
summary of each scenario;
flags reached and not reached;
attack paths followed successfully and unsuccessfully;
tactics, techniques and procedures used successfully and unsuccessfully;
deviations from the red team test plan, if any;
leg-ups granted, if any;
all actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;
discovered vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and other findings, including:
vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and other finding description including their criticality;
root cause analysis of successful attacks;
recommendations for remediation including indication of the remediation priority.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.