Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Recital 27 Mix of internal and external testers considered 'internal'

Article 26(8), first subparagraph, of Regulation (EU) 2022/2554 requires from financial entitiesas defined in Article 2, points (a) to (t) that they contract external testers every three tests. Where financial entitiesas defined in Article 2, points (a) to (t) include in the team of testers both internal and external testers, that should be considered as a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems performed with internal testers for the purposes of that Article.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod