Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Recital 3 Considerations of other financial entities for inclusion

TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; should assess, in light of an overall assessment of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile and maturity, of the impact on the financial sector, and of related financial stability concerns, whether any type of financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; other than credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;, central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;, trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;, insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; should be subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The assessment of whether such financial entitiesas defined in Article 2, points (a) to (t) meet those qualitative criteria should aim at identifying financial entitiesas defined in Article 2, points (a) to (t) for which TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is appropriate by using cross-sector and objective indicators. At the same time, the assessment of whether a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; meets those qualitative criteria should limit the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems to those for which the testing is justified. Whether a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; meets those qualitative criteria should also be assessed in the light of new markets development and of the increasing importance of new market participants for the financial sector in the future, including crypto asset service providers authorised in accordance with Article 59 of Regulation (EU) 2023/1114 of the European Parliament and of the Council(2)Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj)..

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod