Source: OJ L, 2025/1190, 18.6.2025
ENRecital 13 Exemptions from TLPT provider criteria
There may be exceptional circumstances where financial entitiesas defined in Article 2, points (a) to (t) are unable to contract TLPT providers means testers and threat intelligence providers; that meet the comprehensive criteria. Financial entitiesas defined in Article 2, points (a) to (t), upon evidencing the unavailability of such threat intelligence providers means the experts, contracted by the financial entity for each TLPT, and external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and that the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; assesses all those criteria.