Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

Recital 5

Where financial entitiesas defined in Article 2, points (a) to (t) have the same ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; or where they belong to the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; and rely on common ICT systems, it is important that TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities consider the structure and its systemic character or importance for the financial sector at national or Union level in the assessment of whether a financial entity should be subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and of whether the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be conducted at entity level or at groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; level (through a joint TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems).
Table of contents