Article 13Note: This article is based on the final draft from the ESAs and is not yet adopted. Use of internal testers

Financial entitiesas defined in Article 2, points (a) to (t) shall establish all of the following arrangements for the use of internal testers:

1. the definition and implementation of a policy for the management of internal testers in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Such policy shall:

   Copy reference link

   Copy paragraph

   1. include criteria to assess suitability, competence, potential conflicts of interest of the internal testers and define management responsibilities in the testing process. The policy shall be documented and periodically reviewed;

      Copy reference link

      Copy paragraph

   2. provide that the internal testing team includes a test lead, and at least two additional members. The policy shall require that all members of the test team have been employed by the financial entity or by an ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; for the preceding 12 months;

      Copy reference link

      Copy paragraph

   3. include provisions on training on how to perform penetration testing and red team testing of the internal testers.

      Copy reference link

      Copy paragraph

2. measures to ensure that the use of internal testers to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems will not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; or significantly impact the availability of resources devoted to ICT-related tasks during a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

   Copy reference link

   Copy paragraph

3. measures to ensure that internal testers have sufficient resources and capabilities available to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems in accordance with this Regulation;

   Copy reference link

   Copy paragraph

4. when a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority approves the use of internal testers according to Article 27(2)(a) of Regulation (EU) 2022/2554, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider the requirements laid down in Article 5(2) of this Regulation.

   Copy reference link

   Copy paragraph

When using internal testers, the financial entity shall ensure that such use is mentioned in the following documents:

1. the test initiation documents referred to in Article 8;

   Copy reference link

   Copy paragraph

2. the red team test report referred to in Article 11(2);

   Copy reference link

   Copy paragraph

3. the report summarizing the relevant findings of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems referred to in Article 26(6) of Regulation (EU) 2022/2554.

   Copy reference link

   Copy paragraph

For the purposes of this Regulation, testers employed by an ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; shall be considered as internal testers of the financial entity.