Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Article 2 Identification of financial entities required to perform TLPT

    1. TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall assess whether any financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, taking into account the impact of those financial entitiesas defined in Article 2, points (a) to (t), their systemic character and their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile, on the basis of all of the following criteria:

      1. impact-related and systemic character related factors:

        1. the size of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, determined on the basis of whether the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides financial services in one or more Member States and by comparing the activities of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to those of other financial entitiesas defined in Article 2, points (a) to (t) providing similar services;

        2. the extent and nature of the interconnectedness of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with other financial entitiesas defined in Article 2, points (a) to (t) in the financial sector in one or more Member States;

        3. the criticality or importance of the services that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides to the financial sector;

        4. the substitutability of the services that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides;

        5. the complexity of the business model of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the related services and processes;

        6. whether the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is part of a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of systemic character at Union or national level in the financial sector and sharing ICT systems;

      2. ICT risk-related factors:

        1. the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

        2. the threat landscape of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

        3. the degree of dependence of critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or their supporting functions of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; on ICT systems and processes;

        4. the complexity of the ICT architecture of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

        5. the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and functions supported by ICT third-party service providers means an undertaking providing ICT services;, and the quantity and type of contractual arrangements with ICT third-party service providers means an undertaking providing ICT services; or ICT intra-group service providers means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;;

        6. the outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

        7. the maturity of ICT business continuity plans and ICT response and recovery plans;

        8. the maturity of the operational ICT security detection and mitigation measures, including the ability to:

          1. monitor the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s ICT infrastructure on a permanent basis;

          2. detect ICT-related events in real time;

          3. analyse the events referred to in point (2);

          4. respond to the events referred to in point (2) in a timely and effective manner;

        9. whether the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is part of a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; active in the financial sector at Union or national level that shares ICT systems.

    2. For the purposes of point (a)(i), the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall, where possible, consider:

      1. the market share position of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; at Union and national level;

      2. the range of activities offered by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      3. the market share of the services provided by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or of the activities undertaken at Union and national level.

    3. For the purposes of point (a)(v), the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall, where possible, consider:

      1. whether the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; operates more than one business model;

      2. the interconnectedness of different business processes and the related services.

    1. TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall require all of the following financial entitiesas defined in Article 2, points (a) to (t) to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, unless the assessment referred to in paragraph 1 in respect of a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; indicates that its impact, the financial stability concerns relating to that financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or its ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile, does not justify the performance of a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems:

      1. credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). that meet any of the following conditions:

        1. they have been identified as global systemically important institutions (G-SIIs) in accordance with Article 131 of Directive 2013/36/EU of the European Parliament and of the Council (7)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338, ELI: http://data.europa.eu/eli/dir/2013/36/oj).;

        2. they have been identified as other systemically important institutions (O-SIIs) in accordance with Article 131 of Directive 2013/36/EU;

        3. they are part of a G-SIIs or O-SIIs;

      2. payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; that exceeded in each of the 2 calendar years preceding the assessment by the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; EUR 150 billion of total value of payment transactions as defined in Article 4, point (5), of Directive (EU) 2015/2366 of the European Parliament and of the Council (8)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj).;

      3. electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; that exceeded in each of the 2 calendar years preceding the assessment by the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; either EUR 150 billion of total value of payment transactions as defined in Article 4, point (5), of Directive (EU) 2015/2366 or EUR 40 billion of total value of the amount of outstanding electronic money;

      4. central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;;

      5. central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;;

      6. trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; with an electronic trading system that meet any of the following criteria:

        1. the trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; has the highest market share in terms of turnover at national level in each of the 2 calendar years preceding the assessment by the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; in any of the following:

          1. transferable securities as defined in Article 4(1), point (44)(a), of Directive 2014/65/EU of the European Parliament and of the Council (9)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349, ELI: http://data.europa.eu/eli/dir/2014/65/oj).;

          2. transferable securities as defined in Article 4(1), point (44)(b), of Directive 2014/65/EU;

          3. derivatives as defined in Article 2(1), point (29), of Regulation (EU) No 600/2014 of the European Parliament and of the Council (10)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84, ELI: http://data.europa.eu/eli/reg/2014/600/oj).;

          4. structured finance products as defined in Article 2(1), point (28), of Regulation (EU) No 600/2014;

          5. emission allowances as referred to in Section C, point (11), of Annex I to Directive 2014/65/EU;

        2. the trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; has a market share in terms of turnover at Union level that exceeds 5 % in each of the 2 calendar years preceding the assessment by the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; in any of the following:

          1. shares in companies and other securities equivalent to shares in companies, partnerships or other entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and depositary receipts in respect of shares;

          2. bonds or other forms of securitised debt, including depositary receipts in respect of such securities;

          3. derivatives as defined in Article 2(1), point (29), of Regulation (EU) No 600/2014,

          4. structured finance products as defined in Article 2(1), point (28), of Regulation (EU) No 600/2014;

          5. emission allowances as referred to in Section C, point (11), of Annex I to Directive 2014/65/EU;

      7. insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; that meet all the following criteria:

        1. they have a gross written premium (GWP) that exceeds EUR 1500000000;

        2. they have technical provisions that exceed EUR 10000000000;

        3. insurance undertakings means an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC; that pursue only life activities or that pursue both life and non-life activities and that have total assets that exceed 3,5 % of the sum of the total assets valuated in accordance with Article 75 of Directive 2009/138/EC of the European Parliament and of the Council (11)Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1, ELI: http://data.europa.eu/eli/dir/2009/138/oj). of the insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; established in the Member State.

    2. For the purposes of (f)(ii), where the trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; is part of a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; sharing ICT systems or the same ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, the turnover of the securities and derivatives contracts on all trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; pertaining to the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and established in the Union shall be considered.

    3. For the purposes of point (g), TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; shall identify a subset of all insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; by applying the criteria laid down in points (g)(i), (ii), and (iii). Insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; included in that subset shall be required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems where they also meet any of the following criteria:

      1. gross written premium (GWP) that exceeds EUR 3000000000;

      2. technical provisions that exceed EUR 30000000000;

      3. total assets that exceed 10 % of the sum of the total assets valuated in accordance with Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; established in the Member State.

    1. Where more than one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; belonging to the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and sharing ICT systems, or where more than one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; using the same ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, meet the criteria set out in paragraph 2, the TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; of those financial entitiesas defined in Article 2, points (a) to (t) shall, in accordance with Article 16(2), decide whether the requirement to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems on an individual basis is relevant for those financial entitiesas defined in Article 2, points (a) to (t).

    2. Where the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; of the parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; of a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of financial entitiesas defined in Article 2, points (a) to (t) referred to in the first subparagraph is different from the TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; of the financial entitiesas defined in Article 2, points (a) to (t) of the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, that authority shall be consulted by the TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; of the financial entitiesas defined in Article 2, points (a) to (t) belonging to that group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; on whether it is appropriate to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems on an individual basis.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod