Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

Article 2Note: This article is based on the final draft from the ESAs and is not yet adopted. Identification of financial entities required to perform TLPT

  1. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall require all of the following financial entitiesas defined in Article 2, points (a) to (t) to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems:

    1. Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32); identified as global systemically important institutions (G-SIIs) in accordance with Article 131 of Directive 2013/36/EU of the European Parliament and of the Council (15)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). or as other systemically important institutions (O-SIIs) or that are part of a G-SIIs or O-SIIs.

    2. Payment institutionsmeans a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 of the European Parliament and of the Council (16)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35)..

    3. Electronic money institutionsmeans an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 or EUR 40 billion of total value of the amount of outstanding electronic money.

    4. Central securities depositoriesmeans a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;;

    5. Central counterpartiesmeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;;

    6. Trading venuesmeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; with an electronic trading system that meet at least one of the following criteria:

      1. the trading venuemeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; with the highest market share in terms of turnover at national level in each of the preceding two financial years in one or more of the following:

        1. transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU of the European Parliament and of the Council (17)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173 12.6.2014, p. 349).;

        2. transferable securities as defined in point (44)(b) of Article 4(1) of Directive 2014/65/EU;

        3. derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014 of the European Parliament and of the Council (18)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173 12.6.2014, p. 84).;

        4. structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;

        5. emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;,

      2. the trading venuemeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; whose market share in terms of turnover at Union level exceeds 5% in each of the preceding two financial years in one or more of the following:

        1. transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU (19)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173 12.6.2014, p. 349).,

        2. transferable securities as defined in point (44)(b) of Article 4(1) of directive Directive 2014/65/EU,

        3. derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014,

        4. structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;

        5. emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;

      For the purposes of point (ii) of this point (f), where the trading venuemeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; is part of a groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; using common ICT systems or the same ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, the turnover of the securities and derivatives contracts on all trading venuesmeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; pertaining to the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; and established in the Union shall be considered.

    7. Insurance and reinsurance undertakingsmeans a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; that meet all the following criteria:

      1. gross written premium (GWP) exceeding EUR 1 500 000 000;

      2. technical provisions exceeding EUR 10 000 000 000;

      3. in case of life insurance undertakingsmeans an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC;, as referred to in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council (20)Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (recast) (OJ L 335, 17/12/2009, p. 1)., and of insurance undertakingsmeans an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC; pursuing both life and non-life activities, total assets exceeding 3.5% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakingsmeans a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; established in the Member State.

      TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall create a subset of all insurance and reinsurance undertakingsmeans a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; by applying the criteria listed in the first subparagraph. Insurance and reinsurance undertakingsmeans a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; included in this subset shall be required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems where they also meet one or more of the following criteria:

      1. gross written premium (GWP) exceeding EUR 3 000 000 000;

      2. technical provisions exceeding EUR 30 000 000 000;

      3. total assets exceeding 10% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakingsmeans a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; established in the Member State.

  2. Financial entitiesas defined in Article 2, points (a) to (t) referred to in points (a) to (g) of paragraph 1 shall not be required to carry out TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems where the assessment of the criteria listed in paragraph 4 indicates that the impact of the financial entity, financial stability concerns relating to it or its ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile do not justify the performance of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

  3. Where more than one financial entity belonging to the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; and using common ICT systems, or where more than one financial entity using the same ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; meet the criteria set out in points (a) to (g) of paragraph 1, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities of these financial entitiesas defined in Article 2, points (a) to (t) shall decide if the requirement to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems on an individual basis is relevant for these financial entitiesas defined in Article 2, points (a) to (t), in accordance with Article 14(2). Where the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority of the parent undertakingmeans a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; of such groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; is different from the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority(ies) of the financial entitiesas defined in Article 2, points (a) to (t) referred to in the first subparagraph, it shall be consulted.

  4. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall assess whether any financial entitiesas defined in Article 2, points (a) to (t) other than those referred to in paragraph 1 shall be required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, taking into account their impact, systemic character and ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile, assessed on the basis of all of the following criteria:

    1. impact-related and systemic character related factors:

      1. the size of the financial entity, determined taking into account whether the financial entity provides financial services in the national or Union market and by comparing the activities of the financial entity to those of other financial entitiesas defined in Article 2, points (a) to (t) providing similar services. Where possible, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider the market share position at national and EU level, the range of activities offered by the financial entity and the market share of the services provided or of the activities undertaken at national and at Union level;

      2. the extent and nature of the interconnectedness of the financial entity with other financial entitiesas defined in Article 2, points (a) to (t) in the financial sector at national and Union level;

      3. the criticality or importance of the services provided to the financial sector;

      4. the substitutability of the services provided by the financial entity;

      5. the complexity of the business model of the financial entity and the related services and processes. Where possible, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider whether the financial entity operates more than one business models and the interconnectedness of different business processes and the related services;

      6. whether the financial entity is part of a groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; of systemic character at Union or national level in the financial sector and using common ICT systems;

    2. ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; related factors:

      1. the risk profile of the financial entity;

      2. the threat landscape of the financial entity;

      3. the degree of dependence of critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or their supporting functions of the financial entity on ICT systems and processes;

      4. the complexity of the ICT architecture of the financial entity;

      5. the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and functions supported by ICT third-party service providersmeans an undertaking providing ICT services;, the quantity and type of contractual arrangements with ICT third-party service providersmeans an undertaking providing ICT services; or ICT intra-group service providersmeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;;

      6. outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity;

      7. the maturity of ICT business continuity plans and ICT response and recovery plans;

      8. the maturity of the operational ICT security detection and mitigation measures including the ability to monitor the financial entity’s ICT infrastructure on a permanent basis, to detect ICT-related events in real time, to analyse events, to respond to them in a timely and effective manner;

      9. whether the financial entity is part of a groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; active in the financial sector at Union or national level and using common ICT systems.

Table of contents