Commission Delegated Regulation (EU) 2025/1190 supplementing Regulation (EU) 2022/2554 on Threat-Led Penetration Testing (TLPT) criteria and standards

COMMISSION DELEGATED REGULATION (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards regulatory technical standards determining the criteria for identifying which financial entities are required to conduct threat-led penetration testing, requirements and standards applicable to the engagement of internal testers, requirements relating to the scope and methodology of testing and approach to each individual phase of testing, results, completion of testing and phases of testing relating to the remediation of weaknesses, and the type of supervisory cooperation and other relevant forms of cooperation required for the implementation of TLPT and to facilitate its mutual recognition (Text with EEA relevance)

THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (1), and in particular Article 26(11), fourth subparagraph, thereof,

Whereas:

(1) This Regulation is drafted in accordance with the TIBER-EU framework and contains the methodology, procedure and structure of threat-led penetration testing (TLPT) as described in that framework. Financial entities required to conduct TLPT may apply and refer to the TIBER-EU framework or one of its forms of implementation at national level, provided that that framework or implementation complies with the requirements laid down in Articles 26 and 27 of Regulation (EU) 2022/2554 and this Regulation. The appointment of a single public authority body in the financial sector responsible for TLPT-related matters at national level in accordance with Article 26(9) of Regulation (EU) 2022/2554 should not call into question the competence of supervisory authorities over certain financial entities at Union level in accordance with Article 46 of that Regulation, such as, for example, the competence of the European Central Bank over significant credit institutions considered competent for TLPT-related matters. If only some tasks related to TLPTs are delegated to another national body in the financial sector in accordance with Article 26(10) of Regulation (EU) 2022/2554, the body competent over the financial entity referred to in Article 46 of that Regulation should remain the body competent for TLPT-related tasks that have not been delegated.

(2) Given the complexity of TLPT and the risks associated with it, its application should be limited to those financial entities for which it is justified. Therefore, bodies responsible for TLPT matters (TLPT bodies at Union or national level) should exclude from the scope of TLPT those financial entities operating in sub-sectors of key financial services for which TLPT is not justified. This means that credit institutions, payment institutions and electronic money institutions, central securities depositories, central counterparties, trading venues, insurance undertakings and reinsurance undertakings, although they meet the quantitative criteria, could be exempted from the obligation to conduct TLPT on the basis of a general assessment of their ICT risk profile and maturity level, impact on the financial sector and related financial stability issues.

(3) TLPT bodies should assess, based on a general assessment of the ICT risk profile and maturity level, impact on the financial sector and related financial stability issues, whether any type of financial entity other than credit institutions, payment institutions, electronic money institutions, central counterparties, central securities depositories, trading venues, insurance undertakings and reinsurance undertakings should be required to conduct TLPT. The assessment of whether such financial entities meet the aforementioned qualitative criteria should serve to determine for which financial entities TLPT is appropriate by using cross-sectoral and objective indicators. At the same time, based on the assessment of whether a financial entity meets the relevant qualitative criteria, the obligation to conduct TLPT should be limited to entities for which such testing is justified. Whether a financial entity meets the aforementioned qualitative criteria should also be assessed with regard to the development of new markets and the increasing importance of new market participants for the financial sector in the future, including crypto-asset service providers authorised in accordance with Article 59 of Regulation (EU) 2023/1114 of the European Parliament and of the Council (2).

(4) Financial entities may have the same ICT service provider within a group or may belong to the same group and rely on the use of shared ICT systems. In that case, it is important that TLPT bodies, when assessing whether a financial entity should be required to conduct TLPT and whether TLPT should be conducted at entity level or group level (within a joint TLPT), take into account the structure and systemic nature or significance of that financial entity for the financial sector at national or Union level.

(5) To mirror the TIBER-EU framework, the testing methodology should provide for the participation of the following main stakeholders: the financial entity, with a control team (corresponding to the 'control team' in the TIBER-EU framework) and a blue team (corresponding to the 'blue team' in the TIBER-EU framework), and the TLPT body, in the form of a TLPT cyber team (corresponding to 'TIBER cyber teams' in the TIBER-EU framework), a threat intelligence provider and testers (corresponding to the 'red team provider' in the TIBER-EU framework).

(6) To leverage the experience gained from the implementation of the TIBER-EU framework and to reduce the risks associated with the implementation of TLPT, it should be ensured that the responsibilities of the TLPT cyber teams to be established at the level of the TLPT body align as closely as possible with the responsibilities of the cyber teams in the TIBER-EU framework. Therefore, TLPT cyber teams should have test leaders who are responsible for overseeing individual TLPTs and for planning and coordinating individual tests. TLPT cyber teams should function as a single point of contact for communication with internal and external stakeholders regarding testing, collection and processing of feedback and experience gained from previous tests, and support for financial entities undergoing TLPT.

(7) To apply the methodology from the TIBER-EU framework, test leaders should have the skills and capabilities necessary to provide advice and respond to proposals from testers. Experience gained from the implementation of the TIBER-EU framework has shown that it is useful to have a team of at least two test leaders for each test. To ensure that TLPT is used for gaining experience and to protect the confidentiality of tests, TLPT bodies are recommended to consider, provided they do not have resource or expertise issues, that test leaders should not conduct supervisory activities over the financial entity undergoing TLPT during the duration of the TLPT.

(8) For consistency with the TIBER-EU framework, it is important that the TLPT body closely monitors each phase of testing. Given the nature of the testing and the associated risks, it is essential that the TLPT body participates in each phase of testing. In particular, the TLPT body should be available for consultation and confirm assessments or decisions by financial entities that on the one hand can affect the effectiveness of the testing, and on the other hand the risks associated with the testing. The main steps of testing requiring specific participation of the TLPT body are the confirmation of specific fundamental testing documentation, the selection of the threat intelligence provider and the tester, and the adoption of risk management measures. The participation of the TLPT body, particularly in confirming documentation, should not overburden them and should therefore be limited to documentation and decisions that directly affect the implementation of TLPT. By actively participating in each phase of testing, TLPT bodies can effectively assess the compliance of financial entities with relevant requirements, which should enable those bodies to issue certificates in accordance with Article 26(7) of Regulation (EU) 2022/2554.

(9) The confidentiality of TLPT is of utmost importance to ensure that testing conditions are realistic. Therefore, testing should be covert and precautions should be taken to ensure TLPT confidentiality, including the selection of codenames that should be designed to prevent third parties from recognising the TLPT. If staff members responsible for the security of the financial team were aware of the planned or ongoing TLPT, they would likely be more careful and cautious than under normal working conditions, which would affect the outcome of the testing. Staff members of the financial entity outside the control team should therefore be informed of all planned or ongoing TLPTs only if there are compelling reasons and with the prior consent of the test leader, among other things to ensure the confidentiality of the testing in the event that a blue team member discovers that testing is being conducted.

(10) As seen from experience gained regarding the 'control team' in the implementation of the TIBER-EU framework, the selection of a suitable control team leader is essential for the secure implementation of TLPT. The control team leader should have the necessary authority within the financial entity to direct all aspects of testing without compromising its confidentiality. For the same reason, control team members should have a good understanding of the financial entity and the role and strategic position of the control team leader, and have the necessary seniority and access to the management board. To reduce the risk of compromising the TLPT, the control team should be as small as possible.

(11) TLPT is associated with certain inherent risk elements because key functions are tested in a production environment, meaning there is a possibility of causing service outages, unexpected system failures, damage to key production systems, or loss, alteration or disclosure of data. Due to these risks, strong risk management measures are necessary. To ensure that TLPT is conducted in a controlled manner throughout the testing, it is very important that financial entities are aware at all times of the specific risks arising within the TLPT and that those risks are mitigated. For this purpose, without prejudice to the internal processes of the financial entity and the responsibilities and delegated powers already assigned to the control team leader, information on risk management measures arising from TLPT or, in special cases, approval of those risk management measures by the management body of the financial entity could be appropriate. To be able to provide effective and professional expert services and to reduce those risks, it is also necessary for testers and threat intelligence providers (together 'TLPT service providers') to possess the highest level of skills, expertise and appropriate experience in the field of threat intelligence and TLPT in the financial services industry.

(12) Conventional penetration testing allows for a detailed and useful assessment of technical and configuration vulnerabilities, often of a single system or environment, but unlike red team testing based on intelligence, they do not assess the full scenario of a targeted attack on the entire entity and all its staff, processes and technologies. Financial entities should therefore ensure in the process of selecting TLPT service providers that they have the necessary skills to conduct red team testing based on intelligence, and not just penetration testing. Therefore, it is necessary to establish comprehensive criteria for internal and external testers and for threat intelligence providers, which are always external. If TLPT service providers belong to the same company, the staff entrusted with the implementation of TLPT should be appropriately separated.

(13) In exceptional circumstances, financial entities may not be able to engage TLPT service providers that meet the comprehensive criteria. Therefore, financial entities, after demonstrating the unavailability of such threat intelligence providers, should be allowed to engage persons who do not meet all comprehensive criteria, provided that they appropriately mitigate all associated additional risks and that the TLPT body assesses all those criteria.

(14) If several financial entities and several TLPT bodies participate in a TLPT, the roles of all parties in the TLPT procedure should be defined to make the testing as efficient and secure as possible. For joint testing, specific requirements should be established to determine the role of the designated financial entity, namely to determine that it should be responsible for submitting all necessary documentation to the lead TLPT body and for monitoring the testing procedure. The designated financial entity should also be responsible for joint aspects of risk management assessment. Regardless of the role of the designated financial entity, the obligations of each financial entity participating in a joint TLPT procedure should remain unchanged during the implementation of the joint test. The same principle should apply to joint TLPTs.

(15) As seen from experience gained from the implementation of the TIBER-EU framework, holding meetings in person or virtually with all involved stakeholders (financial entities, competent authorities, testers and threat intelligence providers) is the most effective way to ensure proper implementation of testing. Therefore, in-person and virtual meetings should be held at different stages of the procedure, particularly in the preparatory phase before launching TLPT to determine its scope, in the testing phase to complete the threat intelligence report and the red team testing plan, and weekly exchanges of news, and in the final phase to repeat tests and blue team activities, conduct joint purple team activities within the framework and exchange feedback on TLPT.

(16) To ensure the smooth implementation of TLPT, the TLPT body should clearly set out its expectations regarding testing to the financial entity. In this regard, test leaders should ensure the establishment of appropriate information flow with the control team within the financial entity and with TLPT service providers.

(17) The financial entity should select key or important functions to be covered by TLPT. The selection of those functions should be based on various criteria relating to the importance of each function for the financial entity and the financial sector, at Union and national level, not only in economic terms, but also taking into account the symbolic or political status of the function. To facilitate a smooth transition to the threat intelligence gathering phase, the control team should provide detailed information on the agreed scope to testers and threat intelligence providers not involved in the testing scope determination procedure.

(18) To provide testers with the information necessary to simulate a real and realistic attack on the production systems of the financial entity on which its key or important functions are based, the threat intelligence provider should collect intelligence or information on at least two key areas of interest: targets by identifying potential attack surfaces across the entire financial entity, and threats by identifying relevant threat actors and likely threat scenarios. To ensure that the threat intelligence provider considers threats relevant to the financial entity, testers, the control team and test leaders should provide feedback on the draft threat intelligence report. If available, the threat intelligence provider may use the description of general threats to the financial sector of the Member State provided by the TLPT body as a basis for determining the state of threat intelligence at national level. Based on the application of the TIBER-EU framework, the threat intelligence gathering procedure usually takes approximately four weeks.

(19) To enable testers to review and further examine the testing scope determination document and the special threat intelligence report to complete the red team testing plan, it is essential that before the testing phase of TLPT for which the red team is responsible, testers receive detailed explanations from the threat intelligence provider about the special threat intelligence report and the analysis of possible threat scenarios.

(20) To enable testers to conduct realistic and comprehensive testing in which all attack phases are executed and milestones are achieved, sufficient time should be allocated for the active phase of red team testing. Based on experience gained from the implementation of the TIBER-EU framework, the allocated period should last at least 12 weeks and should be determined with regard to the number of parties involved, the scope of TLPT, the resources of the financial entity or entities involved, all external requirements and the availability of supporting information provided by the financial entity.

(21) During the active phase of red team testing, testers should apply a range of tactics, techniques and procedures to appropriately test the production systems of the financial entity. Tactics, techniques and procedures should, as appropriate, include reconnaissance (i.e. gathering as much information as possible about the target), armament (i.e. analysis of information on infrastructure, facilities and employees and preparation for target-specific operations), execution (i.e. actively launching a full operation directed at the target), detection and exploitation of vulnerabilities (i.e. actions where the aim of the testers is to compromise the servers and networks of the financial entity and exploit its staff with the help of social engineering), control and movement (i.e. attempts to move from compromised systems to other vulnerable or high-value systems) and execution of counter-target measures (i.e. gaining further access to compromised systems and gaining access to target information and data as previously agreed in the red team testing plan).

(22) During TLPT, testers should act taking into account the time available for executing attacks, resources and ethical and legal limitations. If testers cannot advance to the planned next phase of the attack, the control team should, with the consent of the TLPT body, provide occasional assistance. Such assistance can generally be in the form of information and facilitated access and may consist of providing access to ICT systems or internal networks so that testers can continue testing and focus on the next steps of the attack.

(23) If necessary to enable the continuation of TLPT and as a last resort in exceptional circumstances after all other options have been exhausted, a joint testing activity involving cooperation between testers and the blue team should be conducted during the active phase of red team testing. In the context of such a limited joint purple team activity, the following methods may be applied: 'catch and release', where testers attempt to continue conducting scenarios until they are detected and then continue testing, 'military exercises', which allow for more complex scenarios for testing strategic decision-making, or 'joint concept check', which allows testers and blue team members to jointly confirm specific security measures, tools or techniques in a controlled and collaborative environment.

(24) TLPT should be used to gain experience to improve the digital operational resilience of financial entities. In this regard, the blue team and testers should repeat the attack and review the steps taken so that blue team members gain new knowledge from testing experience in cooperation with testers. For this purpose and to enable appropriate preparation, red and blue team testing reports should be made available to all parties involved in test repetition activities before their re-execution. Furthermore, joint purple team activities should be conducted in the final phase to maximise the experience gained. Methods that can be applied for joint purple team activities in the final phase should include discussions on alternative attack scenarios, research on alternative scenarios on production systems or re-research of planned scenarios on production systems that testers could not complete or execute during the testing phase.

(25) For additional experience gaining of all parties involved in TLPT, which will be used in future tests, and to improve the digital operational resilience of financial entities, the involved parties should provide each other with feedback on the entire process, specifically highlighting activities that progressed well and those that can be improved, and which aspects of the TLPT process functioned well and which can be improved.

(26) Competent authorities referred to in Article 46 of Regulation (EU) 2022/2554 and TLPT bodies, if different, should cooperate to integrate advanced TLPT testing into existing supervisory procedures. In this regard and to ensure a proper understanding of TLPT findings and how they should be interpreted, it is appropriate to establish close cooperation between test leaders who participated in the TLPT and the competent supervisory authorities, particularly regarding the summary testing report and remediation plans.

(27) By Article 26(8), first subparagraph, of Regulation (EU) 2022/2554, financial entities are obliged to engage external testers for every third test. If financial entities include both internal and external testers in those testers, this should be considered as TLPT conducted by internal testers for the purposes of that Article.

(28) This Regulation is based on a draft of regulatory technical standards submitted to the Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (the European Supervisory Authorities (ESAs)),

HAS ADOPTED THIS REGULATION:

Article 1 Subject matter and scope

1. This Regulation lays down regulatory technical standards determining the criteria for identifying which financial entities are required to conduct threat-led penetration testing (TLPT), requirements and standards applicable to the engagement of internal testers, requirements relating to the scope and methodology of testing and approach to each individual phase of testing, results, completion of testing and phases of testing relating to the remediation of weaknesses, and the type of supervisory cooperation and other relevant forms of cooperation required for the implementation of TLPT and to facilitate its mutual recognition.

2. This Regulation applies to financial entities referred to in Article 2(1) of Regulation (EU) 2022/2554.

Article 2 Definitions

For the purposes of this Regulation, the following definitions apply:

(1) 'TLPT' means threat-led penetration testing;

(2) 'TIBER-EU framework' means the framework for threat-led penetration testing established by the European Supervisory Authorities;

(3) 'TLPT body' means the body responsible for TLPT matters at Union or national level;

(4) 'control team' means the team within the financial entity responsible for coordinating the TLPT and acting as the single point of contact for the TLPT cyber team and testers;

(5) 'blue team' means the team within the financial entity responsible for defending the systems and detecting and responding to attacks during TLPT;

(6) 'red team' means the team of testers conducting the attack simulation;

(7) 'purple team' means the joint activity of the blue team and red team to share knowledge and improve defensive capabilities;

(8) 'test leader' means the person responsible for overseeing the TLPT on behalf of the TLPT cyber team;

(9) 'threat intelligence provider' means the external entity providing threat intelligence to the testers;

(10) 'ICT service provider' means an entity providing ICT services to the financial entity;

(11) 'joint TLPT' means TLPT conducted by a group of financial entities;

(12) 'group TLPT' means TLPT conducted at the level of the financial group.

Article 3 Criteria for determining financial entities required to conduct TLPT

1. TLPT bodies shall assess whether financial entities meet the criteria set out in paragraphs 2 to 5.

2. Financial entities shall meet the quantitative criteria set out in Article 26(2) of Regulation (EU) 2022/2554.

3. TLPT bodies shall assess the qualitative criteria set out in paragraph 4, taking into account the ICT risk profile, maturity level, impact on the financial sector and related financial stability issues.

4. The qualitative criteria referred to in paragraph 3 are:

(a) the systemic importance of the financial entity;

(b) the complexity of the ICT infrastructure;

(c) the level of digitalisation of the business model;

(d) the exposure to cyber threats;

(e) the maturity of the ICT risk management framework.

5. TLPT bodies may exempt financial entities from the obligation to conduct TLPT if the general assessment referred to in paragraph 3 indicates that TLPT is not justified for those entities.

Article 4 Engagement of internal testers

1. Financial entities may engage internal testers to conduct TLPT, provided that the internal testers meet the criteria set out in Article 5.

2. Internal testers shall be independent from the functions tested and shall not have participated in the design, development or operation of the systems tested in the last three years.

3. Financial entities shall ensure that internal testers have access to all necessary information and systems to conduct TLPT.

Article 5 Criteria for testers and threat intelligence providers

1. Testers and threat intelligence providers shall meet the following criteria:

(a) they possess the necessary skills, expertise and experience in threat intelligence and TLPT;

(b) they have a robust risk management framework;

(c) they have appropriate insurance coverage;

(d) they have a clear code of conduct and ethical guidelines;

(e) they have a secure infrastructure for handling sensitive information.

2. Testers and threat intelligence providers shall undergo regular training and assessment to ensure that they maintain the necessary skills and expertise.

3. Financial entities shall verify that testers and threat intelligence providers meet the criteria set out in paragraph 1 before engaging them.

Article 6 Scope of TLPT

1. Financial entities shall determine the scope of TLPT, including the key or important functions to be tested.

2. The scope of TLPT shall be based on the criteria set out in Article 3(4).

3. Financial entities shall provide the control team with detailed information on the agreed scope.

Article 7 Methodology of TLPT

1. TLPT shall be conducted in accordance with the TIBER-EU framework.

2. TLPT shall include the following phases:

(a) preparation;

(b) threat intelligence gathering;

(c) red team planning;

(d) red team execution;

(e) blue team response;

(f) purple team activities;

(g) reporting and remediation.

3. The active phase of red team testing shall last at least 12 weeks.

Article 8 Confidentiality of TLPT

1. TLPT shall be conducted in a confidential manner.

2. Financial entities shall take appropriate measures to ensure the confidentiality of TLPT, including the selection of codenames.

3. Staff members of the financial entity outside the control team shall be informed of TLPT only if there are compelling reasons and with the prior consent of the test leader.

Article 9 Supervisory cooperation

1. Competent authorities and TLPT bodies shall cooperate to integrate TLPT into existing supervisory procedures.

2. Test leaders and competent supervisory authorities shall establish close cooperation regarding the summary testing report and remediation plans.

Article 10 Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 13 February 2025.

For the Commission The President Ursula VON DER LEYEN