Source: OJ L, 2025/1190, 18.6.2025
ENRecital 12 Comprehensive criteria for TLPT providers
Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; often of a single system or environment in isolation, but unlike intelligence led red team means the testers, internal or external, contracted for, or assigned to, a TLPT; test, do not assess the full scenario of a targeted attack against an entire entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providers means testers and threat intelligence providers;, financial entitiesas defined in Article 2, points (a) to (t) should therefore ensure that those providers have the requisite skills to perform intelligence-led red team means the testers, internal or external, contracted for, or assigned to, a TLPT; tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence providers means the experts, contracted by the financial entity for each TLPT, and external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;, always external. Where the TLPT providers means testers and threat intelligence providers; belong to the same company, the staff assigned to a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be adequately separated.