Source: OJ L, 2025/1190, 18.6.2025
ENRecital 13 Exemptions from TLPT provider criteria
There may be exceptional circumstances where financial entitiesas defined in Article 2, points (a) to (t) are unable to contract TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems providers that meet the comprehensive criteria. Financial entitiesas defined in Article 2, points (a) to (t), upon evidencing the unavailability of such threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks and that the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority assesses all those criteria.