Harmonised TLPT requirements for cross-border financial entities


Financial entitiesas defined in Article 2, points (a) to (t) involved in cross-border activities and exercising the freedoms of establishment, or of provision of services within the Union, should comply with a single set of advanced testing requirements (i.e. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) in their home Member State, which should include the ICT infrastructures in all jurisdictions where the cross-border financial groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; operates within the Union, thus allowing such cross-border financial groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; to incur related ICT testing costs in one jurisdiction only.