Preamble Recitals

This Regulation has been drafted in accordance with the TIBER-EU framework and mirrors the methodology, process and structure of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems as described in TIBER-EU. Financial entitiesas defined in Article 2, points (a) to (t) subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems may refer to and apply the TIBER-EU framework, or one of its national implementations, in as much as that framework or implementation is consistent with the requirements set out in Articles 26 and 27 of Regulation (EU) 2022/2554 and this Regulation.

The designation of a single public authority means any government or other public administration entity, including national central banks. in the financial sector responsible for TLPT-related matters at national level according to Article 26(9) of Regulation (EU) 2022/2554 should be without prejudice to the competence for the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems of competent authoritiesas defined in Article 46 entrusted with supervision at Union level of certain financial entitiesas defined in Article 2, points (a) to (t) to which Regulation (EU) 2022/2554 applies, such as, for instance, the European Central Bank for significant credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).. Where only some tasks are delegated in a Member State in accordance with the national implementation of Article 26(10) of Regulation (EU) 2022/2554, the competent authorityas defined in Article 46 in accordance with Article 46 of Regulation (EU) 2022/2554 should remain the authority for those TLPT-related tasks that have been not delegated.

Considering the complexity of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; relating to it, the test should be performed only by financial entitiesas defined in Article 2, points (a) to (t) for which it is justified. Hence, authorities responsible for TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems matters (TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;, either at national or Union level) should exclude from the scope of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems those financial entitiesas defined in Article 2, points (a) to (t) operating in core financial services subsectors for which a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is not justified. It means that credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., payment and electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;, central security depositories, central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;, insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;, even though when meeting the quantitative criteria identified in this Regulation, could be opted out of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems scope in light of an overall assessment of their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile and maturity, impact on the financial sector and related financial stability concerns.

TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; should assess, in light of an overall assessment of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile and maturity, of the impact on the financial sector and related financial stability concerns, whether any type of financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; other than credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;, central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;, trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;, insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; should be subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The assessment of the abovementioned qualitative elements should aim at identifying financial entitiesas defined in Article 2, points (a) to (t) for which the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is appropriate by using cross-sector and objective indicators. At the same time, the assessment of these elements should limit the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems to those for which the test is justified. These elements should also be assessed with reference to new market participants (such as crypto asset service providers referred to in Title V of Regulation (EU) 2023/1114) which might have a more important role for the financial sector in the future.

Where financial entitiesas defined in Article 2, points (a) to (t) have the same ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; or where they belong to the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and rely on common ICT systems, it is important that TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; consider the structure and its systemic character or importance for the financial sector at national or Union level in the assessment of whether a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and of whether the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be conducted at entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; level or at group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; level (through a joint TLPT means a TLPT, other than a pooled TLPT referred to in Article 26(4) of Regulation (EU) 2022/2554, involving several financial entities using the same ICT intra-group service provider, or belonging to the same group and using common ICT systems.).

In order to mirror the TIBER-EU framework, it is necessary that the testing methodology provides for the involvement of the following main participants: the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, with a control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. (mirroring the TIBER-EU so-called ‘white team’) and a blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; (mirroring the TIBER-EU ‘blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT;’), the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;, in the form of a TLPT cyber team or ‘TCT’ means the staff within the TLPT authority(ies), that is responsible for TLPT-related matters; (mirroring the TIBER-EU so-called ‘TIBER cyber teams’), a threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; and testers (the latter mirroring the TIBER so-called ‘red team provider’).

In order to ensure that the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems benefits from the experience developed in the framework of TIBER-EU implementation and to reduce the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated to the performance of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, it should be ensured that the responsibilities of the TLPT cyber teams or ‘TCT’ means the staff within the TLPT authority(ies), that is responsible for TLPT-related matters; to be set up at the level of TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; match as closely as possible those of the TIBER cyber teams under TIBER-EU. Hence, the TLPT cyber teams or ‘TCT’ means the staff within the TLPT authority(ies), that is responsible for TLPT-related matters; should include test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; responsible for overseeing the individual TLPTs(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and be responsible for planning and coordination of individual tests. TLPT cyber teams or ‘TCT’ means the staff within the TLPT authority(ies), that is responsible for TLPT-related matters; should serve as single point of contact for test-related communication to internal and external stakeholders, collect and process feedback and lessons learned from previously conducted tests and provide support to financial entitiesas defined in Article 2, points (a) to (t) undergoing TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems testing.

To mirror the TIBER-EU framework methodology, test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; should have sufficient skills and capabilities to provide advice and challenge tester proposals. Building on the experience under the TIBER-EU framework, it has proven to be valuable to have a team of at least two test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; assigned to each test. To reflect that the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; are strongly encouraged to consider that, for the duration of a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; should not conduct supervisory activities on the same financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; undergoing a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

It is important, for consistency with the TIBER-EU framework, that the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; closely follows the test in each of its stages. Considering the nature of the test and the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated to it, it is fundamental that the approach to be followed for each specific phase of the testing refers, where relevant, to the role of the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;. In particular, the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; should be consulted and should validate those assessments or decisions of the financial entitiesas defined in Article 2, points (a) to (t) that may, on the one hand, have an effect on the effectiveness of the test and, on the other hand, have an impact on the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the test. Examples of the fundamental steps on which a specific involvement of the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; is necessary include the validation of certain fundamental documentation of the test, the selection of threat intelligence providers means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; and testers and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures. The involvement of the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;, with particular reference to validations, should not result in an excessive burden for the authorities and should therefore be limited to those documentation and decisions directly affecting the positive outcome of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The involvement of the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; as described in this Regulation is also necessary for the purposes of the issuance of the attestation pursuant to Article 26(7) of Regulation (EU) 2022/2554. Through the active participation to each phase of the testing the TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; may effectively assess compliance of the financial entitiesas defined in Article 2, points (a) to (t) with the relevant requirements.

The secrecy of a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is of utmost importance to ensure that the conditions of the test are realistic, therefore, testing should be covert, and precautions should be taken in order to keep the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems confidential, including the choice of codenames designed in such a way as not allowing the identification of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems by third parties. Should staff members responsible for the security of the financial team be aware of a planned or ongoing TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, it is likely that they would be more observant and alert than during normal working conditions, thereby resulting in an altered outcome of the test. Therefore, staff members of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; outside of the control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. should be made aware of any planned or ongoing TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems only in presence of cogent reasons and subject to prior agreement of the test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation;. This may for example be to ensure the secrecy of the test in case a blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; member has detected the test.

As evidenced through the experience gathered in the TIBER-EU framework with respect to the ‘white team’, the selection of an adequate control team lead means the staff member of the financial entity responsible for the conduct of all TLPT-related activities for the financial entity in the context of a given test; (CTL) is indispensable for the safe conduct of a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The CTL should have the necessary mandate within the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to guide all the aspects of the test, without compromising the confidentiality of the test. Aspects such as deep knowledge of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the CTL’s job role and strategic positioning, seniority and access to the management board should be considered for the purposes of the appointment. The control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. should be as small as possible in order to reduce the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of compromising the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

There are inherent elements of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems as critical functions are tested in live production environment, with the possibility of causing denial-of-service incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data, highlights the need for robust risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures. Hence, it is very important that financial entitiesas defined in Article 2, points (a) to (t) are at all points aware of the particular risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that arise in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and that these are mitigated, to ensure the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is conducted in a controlled manner all along the test. In that respect, without prejudice to the internal processes of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the responsibility and delegations already provided to the control team lead means the staff member of the financial entity responsible for the conduct of all TLPT-related activities for the financial entity in the context of a given test;, information or, in particular cases, approval of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). itself may be appropriate. It is also essential that the testers and threat intelligence providers means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; have the highest level of skills and expertise and an appropriate experience in threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; and TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems in the financial services industry to be able to deliver effective and most qualified professional services and to reduce the abovementioned risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

Intelligence-led red team tests differ from conventional penetration tests, which provide a detailed and useful assessment of technical and configuration vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; often of a single system or environment in isolation, but contrary to the former, do not assess the full scenario of a targeted attack against an entire entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including the complete scope of its people, processes and technologies. During the selection process, financial entitiesas defined in Article 2, points (a) to (t) should ensure that testers possess the requisite skills to perform intelligence-led red team tests, and not only penetration tests. This Regulation establishes comprehensive criteria for testers, both internal and external, and threat intelligence providers means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;, always external. In case the threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; and the external testers are part of the same company, the staff assigned to the test should be adequately separated. Acknowledging the evolving state of this market, there may be exceptional circumstances where financial entitiesas defined in Article 2, points (a) to (t) are unable to secure suitable providers who meet these standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. Therefore, financial entitiesas defined in Article 2, points (a) to (t), upon evidencing the unavailability of fully compliant and suitable providers, should be permitted to engage those who do not satisfy all criteria, conditional upon the proper mitigation of any resultant additional risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and to an assessment of all these elements by TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;.

When several financial entitiesas defined in Article 2, points (a) to (t) and several TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; are involved in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, the roles of all parties in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems process should be specified to conduct the most efficient and safe test. For the purposes of pooled testing, specific requirements are necessary to specify the role of the designated financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and namely that it should be in charge of providing all necessary documentation to the lead TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; and monitoring the test process. The designated financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should also be in charge of the common aspects of the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management assessment. Notwithstanding the role of the designated financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the obligations of each financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; participating to the pooled TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems process remain unaffected during the pooled test. The same principle is valid for joint TLPTs means a TLPT, other than a pooled TLPT referred to in Article 26(4) of Regulation (EU) 2022/2554, involving several financial entities using the same ICT intra-group service provider, or belonging to the same group and using common ICT systems..

As evidenced by the experience of the implementations of the TIBER-EU framework, holding in-person or virtual meetings including all relevant stakeholders (financial entitiesas defined in Article 2, points (a) to (t), authorities, testers and threat intelligence providers means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;) is the most efficient way to ensure the appropriate conduct of the test. Therefore in-person and virtual meetings are strongly encouraged and should be held at various steps of the process, and in particular: during the preparation phase at the launch of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and to finalise on its scope; during the testing phase, to finalise the threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report and the red team test plan and for the weekly updates; and during the closure phase, for the purposes of replaying testers and blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; actions, purple teaming means a collaborative testing activity that involves both the testers and the blue team; and to exchange feedback on the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

In order to ensure the smooth performance of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; should clearly present its expectations with respect to the test to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. In that respect, the test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; should ensure that an appropriate flow of information is established with the control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. within the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, with the testers and threat intelligence providers means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;.

The financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should select the critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; that will be in scope of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems based on various criteria relating to the importance of the function for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; itself and the financial sector, at national and at Union level, not only in economic terms but also considering for instance the symbolic or political status of the function. If the testers and threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; are not involved during the scoping process, the control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. should provide them with detailed information on the agreed scoping, to facilitate a smooth transition to the phase of threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; gathering.

The threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; should collect intelligence or information that cover at least two key areas of interest: the targets, by identifying potential attack surfaces across the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and the threats, by identifying relevant threat actors and probable threat scenarios in order to provide the testers with the information needed to simulate a real-life and realistic attack on the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s live systems underpinning its critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. In order to ensure that the threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; considers the relevant threats for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; should exchange on the draft threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report and on the draft red team test plan with the testers, the control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test. and the test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation;. The threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios; may take into account a generic threat landscape provided by the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554; for the financial sector of a member state, if applicable, as a baseline for the national threat landscape. Based on the TIBER-EU framework application, the threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; gathering process is typically lasting approximately four weeks.

It is essential that, prior to the red team testing phase of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, the testers receive detailed explanations on the targeted threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report and analysis of possible threat scenarios from the threat intelligence provider means the expert(s), external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;, to allow the tester to gain insight and further review the scope specification document and target threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report to finalise the red team test plan.

It is important that sufficient time be allocated to the active red team testing phase to allow testers to conduct a realistic and comprehensive test in which all attack phases are executed, and flags are key objectives in the ICT systems supporting critical or important functions of a financial entity that the testers try to achieve through the test; are reached. On the basis of the experience gathered with the TIBER-EU framework, the time allocated should be at least twelve weeks and be determined taking into account the number of parties involved, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems scope, the resources of the involved financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, any external requirements and the availability of supporting information supplied by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

During the active red team testing phase, the testers should deploy a range of tactics, techniques and procedures (TTPs) to adequately test the live production systems of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. The TTPs should include, as appropriate, reconnaissance (i.e. collecting as much information as possible on a target), weaponization (i.e. analysing information on the infrastructure, facilities and employees and preparing for the operations specific to the target), delivery (i.e. the active launch of the full operation on the target), exploitation (i.e. where the testers’ goal is to compromise the servers, networks of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and exploit its staff through social engineering), control and movement (i.e. attempts to move from the compromise systems to further vulnerable or high value ones) and actions on target (i.e. gaining further access to compromise systems and acquiring access to the previously agreed target information and data, as previously agreed in the red team test plan).

While carrying out a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, testers should act considering the time available to perform the attack, resources and ethical and legal boundaries. Should the testers be unable to progress to the programmed next stage of the attack, occasional assistance should be provided by the control team means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test., upon agreement of the TLPT authority means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;, in the form of ‘leg-ups means the assistance or information provided by the control team to the testers to allow the testers to continue the execution of an attack path where they are not able to advance on their own, and where no other reasonable alternative exists, including for insufficient time or resources in a given TLPT;’. Leg-ups means the assistance or information provided by the control team to the testers to allow the testers to continue the execution of an attack path where they are not able to advance on their own, and where no other reasonable alternative exists, including for insufficient time or resources in a given TLPT; can broadly be categorized in information and access leg-ups means the assistance or information provided by the control team to the testers to allow the testers to continue the execution of an attack path where they are not able to advance on their own, and where no other reasonable alternative exists, including for insufficient time or resources in a given TLPT; and may for instance consist of the provision of access to ICT system or internal networks to continue with the test and focus on the following attack steps.

During the active red teaming in the testing phase, purple teaming means a collaborative testing activity that involves both the testers and the blue team; activities should be used as a last resort in exceptional circumstances and once all alternative options have been exhausted. In the context ofthis limited purple teaming means a collaborative testing activity that involves both the testers and the blue team; exercise, the following methods can be used: “catch-and-release”, where testers attempt to continue the scenarios, get detected and then resume the testing again; “war gaming”, which allows for more complex scenarios to test strategic decision making; or “collaborative proof-of-concept” which allows testers and blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; members to jointly validate specific security measures, tools, or techniques in a controlled and cooperative environment.

The TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be used as a learning experience to enhance the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of financial entitiesas defined in Article 2, points (a) to (t). In that respect, the blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; and testers should replay the attack and review the steps taken in order to learn from the testing experience in collaboration with the testers. For this purpose and to allow for adequate preparation, the red team test report and the blue team means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT; test report should be made available to all parties involved in the replay activities, prior to conducting any replay activities. Additionally, a purple teaming means a collaborative testing activity that involves both the testers and the blue team; exercise, in the closure phase, should be carried out to maximize the learning experience. Methods that may be used for purple teaming means a collaborative testing activity that involves both the testers and the blue team; in the closure phase include discussions of alternative attack scenarios, exploration on live systems of alternative scenarios or the re-exploration of planned scenarios on live systems that the testers had been unable to complete or execute during the testing phase.

To further facilitate the learning experience of all parties involved in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, for the benefit of future tests and to further the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of financial entitiesas defined in Article 2, points (a) to (t) parties concerned should provide feedback to each other on the overall process, and in particular identifying which activities progressed well or could have been improved, which aspects of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems process worked well or could be improved.

Competent authoritiesas defined in Article 46 referred to in Article 46 of Regulation (EU) 2022/2554 and TLPT authorities means: the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554, or the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554, or the competent authority in accordance with Article 46 of Regulation (EU) 2022/2554;, where different, should work together to incorporate advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems into the existing supervisory processes. In that respect it is appropriate that, especially, for the test summary report and remediation plans, a close cooperation between test managers means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with the requirements of this Regulation; who were involved in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and the responsible supervisors is established, in order to share the correct understanding of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems findings and of how they should be interpreted.

Financial entitiesas defined in Article 2, points (a) to (t) should ensure that, as required by Article 26(8), first subparagraph, of Regulation (EU) 2022/2554, every three tests they contract external testers. Where financial entitiesas defined in Article 2, points (a) to (t) include in the team of testers both internal and external testers, this should be considered as a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems performed with internal testers for the purposes of Article 26(8), first subparagraph, of Regulation (EU) 2022/2554.

This Regulation is based on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority, the European Securities and Markets Authority (European Supervisory Authorities), in agreement with the European Central Bank.

The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (¹²)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12)., the Insurance and Reinsurance Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (¹³)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48). and the Securities and Markets Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (¹⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).,