Article 15 Use of internal testers

1. the establishment and implementation of a policy for the management of internal testers in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

2. measures to ensure that the use of internal testers to perform a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems does not negatively impact the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s general defensive or resilience capabilities regarding ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; or significantly impacts the availability of resources devoted to ICT-related tasks during a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

3. measures to ensure that internal testers have sufficient resources and capabilities to perform a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

1. contain criteria to assess suitability, competence, potential conflicts of interest of the internal testers and specify management responsibilities in the testing process;

2. be documented and periodically reviewed;

3. provide that the internal testing team includes a test lead, and at least two additional members;

4. require that all members of the test team have been employed by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or by an ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; for the preceding 12 months;

5. include provisions on training on how to perform penetration testing and red team means the testers, internal or external, contracted for, or assigned to, a TLPT; testing of the internal testers.

Where a TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; approves the use of internal testers in accordance with Article 27(2), point (a), of Regulation (EU) 2022/2554, the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall consider the requirements laid down in Article 7(1) of this Regulation.

1. the test initiation information referred to in Article 9;

2. the red team means the testers, internal or external, contracted for, or assigned to, a TLPT; test report referred to in Article 12(2);

3. the report summarising the relevant findings of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems referred to in Article 26(6) of Regulation (EU) 2022/2554.

Testers employed by an ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; shall be considered as internal testers of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.