Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Recital 1 Relation to the TIBER-EU framework

This Regulation has been drafted in accordance with the TIBER-EU framework and mirrors the methodology, process and structure of threat-led penetration testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems (TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) as described in TIBER-EU. Financial entitiesas defined in Article 2, points (a) to (t) subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems may refer to and apply the TIBER-EU framework, or one of its national implementations, in as much as that framework or implementation is consistent with the requirements set out in Articles 26 and 27 of Regulation (EU) 2022/2554 and this Regulation. The designation of a single public authority means any government or other public administration entity, including national central banks. in the financial sector that is responsible for TLPT-related matters at national level in accordance with Article 26(9) of Regulation (EU) 2022/2554 should be without prejudice to the competence of competent authoritiesas defined in Article 46 entrusted at Union level for the supervision of certain financial entitiesas defined in Article 2, points (a) to (t) in accordance with Article 46 of that Regulation such as, for instance, the European Central Bank for significant credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). which are to be considered competent for TLPT-related matters. Where only some of the tasks related to TLPTs(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems are delegated to another national authority in the financial sector pursuant to Article 26(10) of Regulation (EU) 2022/2554, the competent authorityas defined in Article 46 of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; referred to in Article 46 of that Regulation should remain the authority for the TLPT-related tasks that have been not delegated.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod