Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Recital 8 Involvement of TLPT authorities in the phases

It is important, for consistency with the TIBER-EU framework, that the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; closely follows the testing in each of its stages. Considering the nature of the testing and the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated to it, it is fundamental that the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; is involved in each specific phase of the testing. In particular, the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; should be consulted and should validate those assessments or decisions of the financial entitiesas defined in Article 2, points (a) to (t) that may, on the one hand, influence the effectiveness of the test and, on the other hand, have an impact on the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the test. The fundamental steps on which a specific involvement of the TLPT authority means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; is necessary include the validation of certain fundamental documentation of the testing, and the selection of threat intelligence providers means the experts, contracted by the financial entity for each TLPT, and external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; and testers and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures. The involvement of the TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;, and in particular for validations, should not result in an excessive burden for those authorities and should therefore be limited to those documentation and decisions that directly affect the conduct of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Through the active participation in each phase of the testing, the TLPT authorities means any of the following: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; may effectively assess compliance of the financial entitiesas defined in Article 2, points (a) to (t) with the relevant requirements, which should allow those authorities to issue attestations pursuant to Article 26(7) of Regulation (EU) 2022/2554.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod