eu-regulations

{ "id": "DORA_RTS_TLPT", "full_name": "Commission Delegated Regulation (EU) 2025/1190 - Threat-Led Penetration Testing (TLPT)", "celex_id": "32025R1190", "eur_lex_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32025R1190", "articles": [ { "number": "1", "title": "Definitions", "text": "For the purposes of this Regulation, the following definitions shall apply:\n\n(1)\n\n‘control team’ means the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test;\n\n(2)\n\n‘control team lead’ means the staff member of the financial entity responsible for the conduct of all TLPT-related activities for the financial entity in the context of a given test;\n\n(3)\n\n‘blue team’ means the staff of the financial entity and, where relevant, staff of the financial entity’s third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity’s third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT;\n\n(4)\n\n‘blue team tasks’ means tasks that are typically carried out by the blue team such as security operation centre (SOC), ICT infrastructure services, helpdesk services, incident management services at operational level;\n\n(5)\n\n‘red team’ means the testers, internal or external, contracted for, or assigned to, a TLPT;\n\n(6)\n\n‘purple teaming’ means a collaborative testing activity that involves both the testers and the blue team;\n\n(7)\n\n‘TLPT authority’ means any of the following:\n\n(a)\n\nthe single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;\n\n(b)\n\nthe authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;\n\n(c)\n\nany of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;\n\n(8)\n\n‘TLPT Cyber Team’ or ‘TCT’ means the staff within the TLPT authorities that is responsible for TLPT-related matters;\n\n(9)\n\n‘test managers’ means staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation;\n\n(10)\n\n‘threat intelligence provider’ means the experts, contracted by the financial entity for each TLPT, and external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;\n\n(11)\n\n‘TLPT providers’ means testers and threat intelligence providers;\n\n(12)\n\n‘leg-up’ means the assistance or information provided by the control team to the testers to enable the testers to continue the execution of an attack path where they are not able to advance on their own, and where no other reasonable alternative exists, including for insufficient time or resources in a given TLPT;\n\n(13)\n\n‘attack path’ means the route followed by testers during the active red team testing phase of the TLPT to reach the flags specified for that TLPT;\n\n(14)\n\n‘flags’ are key objectives in the ICT systems supporting critical or important functions of a financial entity that the testers try to achieve through the test;\n\n(15)\n\n‘sensitive information’ means information that can readily be leveraged to carry out attacks against the ICT systems of the financial entity, intellectual property, confidential business data, or personal data, that can directly or indirectly harm the financial entity and its ecosystem would it fall in the hands of malicious actors;\n\n(16)\n\n‘pool’ means all the financial entities participating in a pooled TLPT pursuant to Article 26(4) of Regulation (EU) 2022/2554;\n\n(17)\n\n‘host Member State’ means the host Member State in accordance with the Union sectoral law applicable to each financial entity;\n\n(18)\n\n‘joint TLPT’ means a TLPT, other than a pooled TLPT as referred to in Article 26(4) of Regulation (EU) 2022/2554, involving several financial entities using the same ICT intra-group service provider, or belonging to the same group and sharing ICT systems." }, { "number": "2", "title": "Identification of financial entities required to perform TLPT", "text": "1.   TLPT authorities shall assess whether any financial entity is required to perform TLPT, taking into account the impact of those financial entities, their systemic character and their ICT risk profile, on the basis of all of the following criteria:\n\n(a)\n\nimpact-related and systemic character related factors:\n\n(i)\n\nthe size of the financial entity, determined on the basis of whether the financial entity provides financial services in one or more Member States and by comparing the activities of the financial entity to those of other financial entities providing similar services;\n\n(ii)\n\nthe extent and nature of the interconnectedness of the financial entity with other financial entities in the financial sector in one or more Member States;\n\n(iii)\n\nthe criticality or importance of the services that the financial entity provides to the financial sector;\n\n(iv)\n\nthe substitutability of the services that the financial entity provides;\n\n(v)\n\nthe complexity of the business model of the financial entity and the related services and processes;\n\n(vi)\n\nwhether the financial entity is part of a group of systemic character at Union or national level in the financial sector and sharing ICT systems;\n\n(b)\n\nICT risk-related factors:\n\n(i)\n\nthe risk profile of the financial entity;\n\n(ii)\n\nthe threat landscape of the financial entity;\n\n(iii)\n\nthe degree of dependence of critical or important functions or their supporting functions of the financial entity on ICT systems and processes;\n\n(iv)\n\nthe complexity of the ICT architecture of the financial entity;\n\n(v)\n\nthe ICT services and functions supported by ICT third-party service providers, and the quantity and type of contractual arrangements with ICT third-party service providers or ICT intra-group service providers;\n\n(vi)\n\nthe outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity;\n\n(vii)\n\nthe maturity of ICT business continuity plans and ICT response and recovery plans;\n\n(viii)\n\nthe maturity of the operational ICT security detection and mitigation measures, including the ability to:\n\n(1)\n\nmonitor the financial entity’s ICT infrastructure on a permanent basis;\n\n(2)\n\ndetect ICT-related events in real time;\n\n(3)\n\nanalyse the events referred to in point (2);\n\n(4)\n\nrespond to the events referred to in point (2) in a timely and effective manner;\n\n(ix)\n\nwhether the financial entity is part of a group active in the financial sector at Union or national level that shares ICT systems.\n\nFor the purposes of point (a)(i), the TLPT authority shall, where possible, consider:\n\n(a)\n\nthe market share position of the financial entity at Union and national level;\n\n(b)\n\nthe range of activities offered by the financial entity;\n\n(c)\n\nthe market share of the services provided by the financial entity or of the activities undertaken at Union and national level.\n\nFor the purposes of point (a)(v), the TLPT authority shall, where possible, consider:\n\n(a)\n\nwhether the financial entity operates more than one business model;\n\n(b)\n\nthe interconnectedness of different business processes and the related services.\n\n2.   TLPT authorities shall require all of the following financial entities to perform TLPT, unless the assessment referred to in paragraph 1 in respect of a financial entity indicates that its impact, the financial stability concerns relating to that financial entity, or its ICT risk profile, does not justify the performance of a TLPT:\n\n(a)\n\ncredit institutions that meet any of the following conditions:\n\n(i)\n\nthey have been identified as global systemically important institutions (G-SIIs) in accordance with Article 131 of Directive 2013/36/EU of the European Parliament and of the Council (7);\n\n(ii)\n\nthey have been identified as other systemically important institutions (O-SIIs) in accordance with Article 131 of Directive 2013/36/EU;\n\n(iii)\n\nthey are part of a G-SIIs or O-SIIs;\n\n(b)\n\npayment institutions that exceeded in each of the 2 calendar years preceding the assessment by the TLPT authority EUR 150 billion of total value of payment transactions as defined in Article 4, point (5), of Directive (EU) 2015/2366 of the European Parliament and of the Council (8);\n\n(c)\n\nelectronic money institutions that exceeded in each of the 2 calendar years preceding the assessment by the TLPT authority either EUR 150 billion of total value of payment transactions as defined in Article 4, point (5), of Directive (EU) 2015/2366 or EUR 40 billion of total value of the amount of outstanding electronic money;\n\n(d)\n\ncentral securities depositories;\n\n(e)\n\ncentral counterparties;\n\n(f)\n\ntrading venues with an electronic trading system that meet any of the following criteria:\n\n(i)\n\nthe trading venue has the highest market share in terms of turnover at national level in each of the 2 calendar years preceding the assessment by the TLPT authority in any of the following:\n\n(1)\n\ntransferable securities as defined in Article 4(1), point (44)(a), of Directive 2014/65/EU of the European Parliament and of the Council (9);\n\n(2)\n\ntransferable securities as defined in Article 4(1), point (44)(b), of Directive 2014/65/EU;\n\n(3)\n\nderivatives as defined in Article 2(1), point (29), of Regulation (EU) No 600/2014 of the European Parliament and of the Council (10);\n\n(4)\n\nstructured finance products as defined in Article 2(1), point (28), of Regulation (EU) No 600/2014;\n\n(5)\n\nemission allowances as referred to in Section C, point (11), of Annex I to Directive 2014/65/EU;\n\n(ii)\n\nthe trading venue has a market share in terms of turnover at Union level that exceeds 5 % in each of the 2 calendar years preceding the assessment by the TLPT authority in any of the following:\n\n(1)\n\nshares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;\n\n(2)\n\nbonds or other forms of securitised debt, including depositary receipts in respect of such securities;\n\n(3)\n\nderivatives as defined in Article 2(1), point (29), of Regulation (EU) No 600/2014,\n\n(4)\n\nstructured finance products as defined in Article 2(1), point (28), of Regulation (EU) No 600/2014;\n\n(5)\n\nemission allowances as referred to in Section C, point (11), of Annex I to Directive 2014/65/EU;\n\n(g)\n\ninsurance and reinsurance undertakings that meet all the following criteria:\n\n(i)\n\nthey have a gross written premium (GWP) that exceeds EUR 1 500 000 000;\n\n(ii)\n\nthey have technical provisions that exceed EUR 10 000 000 000;\n\n(iii)\n\ninsurance undertakings that pursue only life activities or that pursue both life and non-life activities and that have total assets that exceed 3,5 % of the sum of the total assets valuated in accordance with Article 75 of Directive 2009/138/EC of the European Parliament and of the Council (11) of the insurance and reinsurance undertakings established in the Member State.\n\nFor the purposes of (f)(ii), where the trading venue is part of a group sharing ICT systems or the same ICT intra-group service provider, the turnover of the securities and derivatives contracts on all trading venues pertaining to the same group and established in the Union shall be considered.\n\nFor the purposes of point (g), TLPT authorities shall identify a subset of all insurance and reinsurance undertakings by applying the criteria laid down in points (g)(i), (ii), and (iii). Insurance and reinsurance undertakings included in that subset shall be required to perform TLPT where they also meet any of the following criteria:\n\n(a)\n\ngross written premium (GWP) that exceeds EUR 3 000 000 000;\n\n(b)\n\ntechnical provisions that exceed EUR 30 000 000 000;\n\n(c)\n\ntotal assets that exceed 10 % of the sum of the total assets valuated in accordance with Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakings established in the Member State.\n\n3.   Where more than one financial entity belonging to the same group and sharing ICT systems, or where more than one financial entity using the same ICT intra-group service provider, meet the criteria set out in paragraph 2, the TLPT authorities of those financial entities shall, in accordance with Article 16(2), decide whether the requirement to perform TLPT on an individual basis is relevant for those financial entities.\n\nWhere the TLPT authority of the parent undertaking of a group of financial entities referred to in the first subparagraph is different from the TLPT authorities of the financial entities of the group, that authority shall be consulted by the TLPT authorities of the financial entities belonging to that group on whether it is appropriate to perform TLPT on an individual basis." }, { "number": "3", "title": "TCT and TLPT Test Managers", "text": "1.   A TLPT authority shall assign the responsibility for coordinating TLPT-related activities to a TCT. A TCT shall be composed of test managers that are assigned to oversee an individual TLPT.\n\n2.   For each test, the TLPT authority shall designate a test manager and at least one alternate.\n\n3.   The test managers shall monitor whether, and ensure that, the requirements laid down in this Regulation are complied with.\n\n4.   The test manager shall communicate the contact details of the TCT to the financial entity through the notification referred to in Article 9(1).\n\n5.   The TLPT authority shall participate to all the phases of the TLPT." }, { "number": "4", "title": "Organisational arrangements for financial entities", "text": "1.   Financial entities shall appoint a control team lead which shall be responsible for the day-to-day management of the TLPT and the decisions and actions of the control team.\n\n2.   Financial entities shall establish organisational and procedural measures to ensure that:\n\n(a)\n\naccess to information pertaining to any planned or ongoing TLPT is limited on a need-to-know basis to the control team, the management body, the testers, the threat intelligence provider and the TLPT authority;\n\n(b)\n\nthe control team consults the test managers prior to involving any member of the blue team in a TLPT;\n\n(c)\n\nthe control team is informed of any detection of the TLPT by staff members of the financial entity or of its third-party service providers; in case of escalation of the resulting incident response, where needed, the control team contains such escalation;\n\n(d)\n\narrangements relating to the secrecy of the TLPT, applicable to staff of the financial entity, to the staff of the ICT third party service providers concerned, to testers and to the threat intelligence provider are in place;\n\n(e)\n\nthe control team provides any information pertaining to the TLPT to the test managers upon request;\n\n(f)\n\nwhere possible, parties involved in the TLPT refer to it by code name only." }, { "number": "5", "title": "Risk management for TLPT", "text": "1.   During the preparation phase referred to in Article 9, the control team shall assess the risks associated with the testing of live production systems of critical or important functions of the financial entity, including potential impacts on:\n\n(a)\n\nthe financial sector;\n\n(b)\n\nthe financial stability at Union or national level.\n\nThe control team shall review those impacts throughout the testing.\n\n2.   For the purposes of the risk assessment and management, the control team shall take into account at least the following types of risks related to:\n\n(a)\n\ngranting access to the threat intelligence provider and external testers, where applicable, to sensitive information on the financial entity;\n\n(b)\n\nlack of compliance of the TLPT with Regulation (EU) 2022/2554 and with this Regulation where such lack of compliance results in a lack of the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554, including where such lack of compliance is due to breaches of confidentiality on the TLPT or to a lack of ethical conduct;\n\n(c)\n\ncrisis and incident escalation;\n\n(d)\n\nthe active red team phase, including risks related to the interruption of critical activities and the corruption of data due to the activities of the testers, and its potential impacts on third parties;\n\n(e)\n\nthe blue team activity, including risks related to the interruption of critical activities and the corruption of data due to the activities of the blue team, and its potential impacts on third parties;\n\n(f)\n\nthe incomplete restoration of systems affected by the TLPT." }, { "number": "6", "title": "Risk management for pooled or joint TLPTs", "text": "1.   In the case of a joint TLPT or a pooled TLPT, the control team of each financial entity shall conduct its own risk assessment and establish its own risk management measures.\n\n2.   The control team of the designated financial entity referred to in Article 16(3), point (b), of this Regulation, or the financial entity designated in accordance with Article 26(4) of Regulation (EU) 2022/2554, shall assess the risks relating to the involvement in the TLPT of multiple financial entities. The control teams of the involved financial entities shall cooperate with the control team of the designated financial entity to identify potential joint risks." }, { "number": "7", "title": "Selection of TLPT providers", "text": "1.   The control team shall take measures to manage the risks relating to the TLPT and shall in particular ensure that, for each TLPT:\n\n(a)\n\nthe threat intelligence provider and external testers provide the control team with a detailed curriculum vitae and copies of certifications that, according to recognised market standards, are appropriate for the performance of their activities;\n\n(b)\n\nthe threat intelligence provider and external tester are duly and fully covered by proper professional indemnity insurances including against risks of misconduct and negligence;\n\n(c)\n\nthe threat intelligence provider provides at least three references from previous assignments in the context of penetration testing and red team testing;\n\n(d)\n\nthe external testers provide at least five references from previous assignments related to penetration testing and red team testing;\n\n(e)\n\nthe staff of the threat intelligence provider assigned to the TLPT:\n\n(i)\n\nis composed of at least a manager with at least 5 years’ experience in threat intelligence and at least one additional member with at least 2 years’ experience in threat intelligence;\n\n(ii)\n\ndisplay a broad range and appropriate level of professional knowledge and skills, including:\n\n(1)\n\nintelligence gathering tactics, techniques and procedures;\n\n(2)\n\ngeopolitical, technical and sectorial knowledge;\n\n(3)\n\nadequate communication skills to clearly present and report on the result of the engagement;\n\n(iii)\n\nhas a combined participation in at least three previous assignments in threat intelligence in the context of penetration testing and red team testing;\n\n(iv)\n\ndoes not simultaneously perform any blue team tasks or other services that may present a conflict of interest with respect to the financial entity, ICT third-party service provider or an ICT intra-group service provider involved in TLPT to which they are assigned;\n\n(v)\n\nis separated from and not reporting to staff of the same TLPT provider providing external testers for the same TLPT;\n\n(f)\n\nfor external testers, the red team assigned to the TLPT:\n\n(i)\n\nis composed of at least a manager, with at least 5 years of experience in penetration testing and red team testing as well as at least two additional testers, each with penetration testing and red team testing of at least 2 years;\n\n(ii)\n\ndisplays a broad range and appropriate level of professional knowledge and skills, including knowledge about the business of the financial entity, reconnaissance, risk management, exploit development, physical penetration, social engineering, vulnerability analysis, as well as adequate communication skills to clearly present and report on the result of the engagement;\n\n(iii)\n\nhas a combined participation in at least five previous assignments related to penetration testing and red team testing;\n\n(iv)\n\nis not employed by, nor provides services to, a threat intelligence provider that simultaneously performs blue team tasks for either a financial entity, an ICT third-party service provider, or an ICT intra-group service provider that is involved in the TLPT;\n\n(v)\n\nis separated from any staff of the same TLPT provider that simultaneously provides threat-intelligence services for the same TLPT;\n\n(g)\n\nthe testers and the threat intelligence provider carry out restoration procedures at the end of testing, including secure deletion of information related to passwords, credentials, and other secret keys compromised during the TLPT, secure communication to the financial entities of the accounts compromised, secure collection, storage, management, and disposal of other data collected during testing;\n\n(h)\n\ntesters, in addition to the restoration procedures at the end of testing as referred to in point (g), carry out the following restoration procedures:\n\n(i)\n\ncommand and control deactivation;\n\n(ii)\n\nscope and date kill switches;\n\n(iii)\n\nremoval of backdoors and other malware;\n\n(iv)\n\npotential breach notification;\n\n(v)\n\nprocedures for future back-up restoration which may concern malware or tools installed during the test;\n\n(vi)\n\nmonitoring of the blue team activities and informing the control team of any possible detections;\n\n(i)\n\ntesters and the threat intelligence provider do not perform, or participate in, any of the following activities:\n\n(i)\n\nunauthorised destruction of equipment of the financial entity and of its ICT third-party service providers, if any;\n\n(ii)\n\nuncontrolled modification of information and ICT assets of the financial entity and of its ICT third-party service providers, if any;\n\n(iii)\n\nintentionally compromising the continuity of critical or important functions of the financial entity;\n\n(iv)\n\nunauthorised inclusion of out-of-scope systems;\n\n(v)\n\nunauthorised disclosure of test results.\n\n2.   The control team shall keep record of the documentation provided by the testers and the threat intelligence providers to evidence compliance with paragraph 1, points (a) to (f).\n\nIn exceptional circumstances, financial entities may contract external testers and threat intelligence providers that do not meet one or more of the requirements set out in paragraph 1, points (a) to (f), provided that those financial entities adopt measures that are appropriate to mitigate the risks relating to the lack of compliance with such points and record those measures." }, { "number": "8", "title": "Specificities for pooled or joint TLPTs", "text": "1.   Unless otherwise decided by the lead TLPT authority, where several financial entities, identified in accordance with Article 16(2) or (4), are involved in a pooled or joint TLPT, each financial entity shall follow each of the steps set out in Articles 9 to 15.\n\n2.   Unless otherwise provided in this Regulation, where several TLPT authorities are involved in a joint TLPT or in a pooled TLPT, as referred to in Article 16(3) or 16(5), references in Articles 9 to 15 to the ‘TLPT authority’ shall be understood as a reference to the lead TLPT authority for such pooled or joint TLPT." }, { "number": "9", "title": "Preparation phase", "text": "1.   A financial entity identified pursuant to Article 26, paragraph 8, third subparagraph of Regulation (EU) 2022/2554 shall initiate a TLPT following a notification from the TLPT authority that a TLPT is to be carried out.\n\n2.   A financial entity shall, within 3 months from having received the notification referred to in paragraph 1, submit to the test managers all of the following TLPT initiation information:\n\n(a)\n\na project charter including a high-level project plan, containing the information set out in Annex I;\n\n(b)\n\nthe contact details of the control team lead;\n\n(c)\n\ninformation on the intended use of internal or external testers or both, where relevant as detailed in Article 15;\n\n(d)\n\ninformation on the communication channels to be used during the TLPT;\n\n(e)\n\nthe code name for the TLPT.\n\n3.   Where the information referred to in paragraph 2, points (a) to (e), is complete and ensures the suitability and effective performance of the TLPT, the TLPT authority shall validate the TLPT initiation information of the financial entity and notify the financial entity thereof.\n\n4.   Following the validation of the TLPT initiation information by the TLPT authority, the financial entity shall set up a control team to support the control team lead in its tasks of:\n\n(a)\n\nspecifying communications channels and processes within the control team, with the testers and the threat intelligence providers in all matters related to the TLPT;\n\n(b)\n\ninforming the management body of the financial entity about the progress of the TLPT and the associated risks;\n\n(c)\n\ntaking decisions based on subject matter expertise throughout the TLPT;\n\n(d)\n\nexecuting the TLPT in compliance with this Regulation;\n\n(e)\n\nselecting the threat intelligence provider for the TLPT;\n\n(f)\n\nselecting the external testers, the internal testers or both;\n\n(g)\n\npreparing the scope specification document.\n\n5.   Where the TLPT authority considers that the initial composition of the control team and any subsequent changes to it are adequate for the performance of the tasks referred to in paragraph 4, the TLPT authority shall validate the control team and notify the control team lead thereof.\n\n6.   The financial entity shall submit a scope specification document containing all information set out in Annex II to the test managers within 6 months from the receipt of the notification from the TLPT authority referred to in paragraph 1. The management body of the financial entity shall approve the scope specification document.\n\n7.   Financial entities shall consider the following criteria for the inclusion of critical or important functions into the scope of the TLPT:\n\n(a)\n\nthe criticality or importance of the function and its possible impact on the financial sector and on financial stability at Union and national level;\n\n(b)\n\nthe importance of the function for the day-to-day business operations of the financial entity;\n\n(c)\n\nthe exchangeability of the function;\n\n(d)\n\nthe interconnectedness with other functions;\n\n(e)\n\nthe geographical location of the function;\n\n(f)\n\nthe sectoral dependence of other entities on the function;\n\n(g)\n\nwhere available, threat intelligence concerning the function.\n\n8.   The control team shall share the TLPT initiation information and the scope specification document with the testers and threat intelligence providers once those are contracted. The control team shall inform the testers and threat intelligence providers about the testing process to be followed.\n\n9.   The financial entity shall ensure that the procurement or assignment of testers and threat intelligence providers is completed prior to the initiation of the testing phase.\n\n10.   Prior to the initiation of the testing phase, the control team shall consult the test managers on the TLPT risk assessment and on the risk management measures. The control team shall review the risk assessment or the risk management measures where the TLPT authority is of the opinion that they do not adequately address the risks of the TLPT.\n\n11.   The control team shall assess the compliance of threat intelligence providers and testers they consider involving in the TLPT with the requirements laid down in Article 27 of Regulation (EU) 2022/2554 and with Article 7(1) of this Regulation, and document the outcome of that assessment. The control team shall select threat intelligence providers in accordance with that assessment and with its risk management practices. Prior to contracting the selected threat intelligence providers and external testers, the control team shall provide to the test managers evidence of compliance of those threat intelligence providers and testers with the requirements laid down in Article 27 of Regulation (EU) 2022/2554 and with Article 7(1) of this Regulation. The control team shall not proceed with contracting the selected threat intelligence providers and external testers where the TLPT authority is of the opinion that the selected threat intelligence providers and external testers do not comply with the requirements laid down in Article 27 of Regulation (EU) 2022/2554, or with the requirements laid down in Article 7(1) of this Regulation or with additional requirements stemming from national security legislations in accordance with Union law, or where the financial entity does not comply with Article 7(2), first subparagraph, of this Regulation, or where the circumstances referred to in Article 7(2), second subparagraph, of this Regulation are not met.\n\n12.   Where the scope specification document is complete and ensures the performance of an appropriate and effective TLPT, the TLPT authority shall approve that document and inform the control team lead thereof." }, { "number": "10", "title": "Testing phase: threat intelligence", "text": "1.   Following the approval of the scope specification document by the TLPT authority, the threat intelligence provider shall analyse generic and sector-specific threat intelligence relevant for the financial entity. Where a generic threat landscape has been provided by the TLPT authority for the financial sector of a Member State, the threat intelligence provider may use that landscape as a baseline for the national threat landscape. The threat intelligence provider shall identify cyber threats and existing or potential vulnerabilities concerning the financial entity. Furthermore, the threat intelligence provider shall gather information on, and analyse concrete, actionable, and contextualised target and threat intelligence concerning the financial entity, including through consulting the control team and the test managers.\n\n2.   The threat intelligence provider shall present the relevant threats and targeted threat intelligence, and propose requisite scenarios to the control team, testers and test managers. The proposed scenarios shall differ with reference to the identified threat actors and associated tactics, techniques and procedures and shall target each critical or important function in the scope of the TLPT.\n\n3.   The control team lead shall select at least three scenarios to conduct the TLPT on the basis of all of the following elements:\n\n(a)\n\nthe recommendation by the threat intelligence provider and the threat-led nature of each scenario;\n\n(b)\n\nthe input provided by the test managers;\n\n(c)\n\nthe feasibility of the proposed scenarios for execution, based on the expert judgement of the testers;\n\n(d)\n\nthe size, complexity and overall risk profile of the financial entity and the nature, scale, and complexity of its services, activities, and operations.\n\n4.   No more than one of the selected scenarios may be non-threat-led and may be based on a forward-looking and potentially fictive threat with high predictive, anticipative, opportunistic, or prospective value given the anticipated developments of the threat landscape concerning the financial entity.\n\nFor pooled TLPTs, without prejudice to the scenarios targeting directly the critical or important functions of the financial entities involved in the testing, at least one scenario shall include the ICT third-party services provider’s relevant underlying ICT systems, processes, and technologies supporting the critical or important functions of the financial entities in scope.\n\nWhere the test is a joint TLPT involving an ICT intra-group service provider, without prejudice to the scenarios targeting directly the critical or important functions of the financial entities involved in the test, at least one scenario shall include the ICT intragroup services provider’s relevant underlying ICT systems, processes and technologies supporting the critical or important functions of the financial entities in scope.\n\n5.   The threat intelligence provider shall provide the targeted threat intelligence report to the control team, including the scenarios selected in accordance with paragraphs 3 and 4. The threat intelligence report shall contain the information set out in Annex III.\n\n6.   The control team shall submit the targeted threat intelligence report to the test manager for approval. Where the targeted threat intelligence report is complete and ensures the performance of an effective TLPT, the TLPT authority shall approve the targeted threat intelligence report and inform the control team lead thereof." }, { "number": "11", "title": "Testing phase: red team test", "text": "1.   Following approval of the targeted threat intelligence report by the TLPT authority, the testers shall prepare the red team test plan that shall contain the information set out in Annex IV. The testers shall use the scope specification document and the targeted threat intelligence report as a basis for producing the attack scenarios.\n\n2.   The testers shall consult the control team, the threat intelligence provider, and the test managers on the red team test plan, including the communication, procedural and project management arrangement, the preparation and use-cases for leg-up activation, and the reporting agreements to the control team and test managers.\n\n3.   Where the red team test plan is complete and ensures the performance of an effective TLPT, the control team and the TLPT authority shall approve the red team test plan and the TLPT shall inform the control team lead thereof.\n\n4.   Upon approval of the red team test plan in accordance with paragraph 3, the testers shall carry out the TLPT during the active red team testing phase.\n\n5.   The duration of the active red team testing phase shall be proportionate to the TLPT scope, to the scale, activity, complexity and number of the financial entities and ICT third-party or ICT intragroup service providers involved in the TLPT, and in any case shall last for at least 12 weeks. Attack scenarios may be executed in sequence or at the same time. The control team, the threat intelligence provider, the testers and the test managers shall agree on the end of the active red team testing phase.\n\n6.   Subject to ensuring that the red team test plan remains complete and allows for the performance of an effective TLPT, the control team lead and the test managers shall approve any changes to the red team test plan subsequent to its approval, including to the timeline, scope, target systems or flags.\n\n7.   During the entire active red team testing phase, testers shall report at least weekly to the control team and test managers on the progress made in the TLPT, and the threat intelligence provider shall remain available for consultation and additional threat intelligence when requested by the control team.\n\n8.   The control team shall timely provide leg-ups designed on the basis of the red team test plan. Leg-ups may be added or adapted upon approval by the control team and the test managers.\n\n9.   In the case of detection of the testing activities by any staff member of the financial entity or of its ICT third-party service providers or ICT intragroup service provider, where relevant, the control team, in consultation with the testers and without prejudice to paragraph 10, shall propose and submit measures allowing to continue the TLPT while ensuring its secrecy to the test managers for validation.\n\n10.   Under exceptional circumstances triggering risks of impact on data, damage to assets, and disruption to critical or important functions, services or operations of the financial entity itself, of its ICT third-party service providers or ICT intragroup services providers, or disruptions to its counterparts or to the financial sector, the control team lead may suspend the TLPT, or, as a last resort, where the continuation of the TLPT is not otherwise possible and subject to prior validation by the TLPT authority, continue the TLPT using a limited purple teaming exercise. The duration of the limited purple teaming exercise shall be counted for the purpose of the 12-week minimum duration of the active red team testing phase referred to in paragraph 5." }, { "number": "12", "title": "Closure phase", "text": "1.   Following the end of the active red team testing phase, the control team lead shall inform the blue team that a TLPT took place.\n\n2.   Within 4 weeks from the end of the active red team testing phase, the testers shall submit to the control team a red team test report containing the information set out in Annex V.\n\n3.   The control team shall provide the red team test report to the blue team and test managers without undue delay.\n\nAt the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.\n\n4.   Upon receipt of the red team test report, and no later than 10 weeks after the end of the active red team testing phase, the blue team shall submit to the control team a blue team test report containing the information set out in Annex VI. The control team shall provide the blue team test report to the testers and the test managers without undue delay.\n\nAt the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.\n\n5.   No later than 10 weeks after the end of the active red team testing phase, the blue team and the testers shall replay the offensive and defensive actions performed during the TLPT. The control team shall also conduct a purple teaming exercise on topics jointly identified by the blue team and the testers, based on vulnerabilities identified during the test and, where relevant, on issues that could not be tested during the active red team testing phase.\n\n6.   After completion of the replay and purple teaming exercises, the control team, the blue team, the testers, and threat intelligence providers shall provide feedback to each other on the TLPT process. The test managers may provide feedback.\n\n7.   Once the TLPT authority has notified the control team lead that it has assessed that the blue team test report and the red team test report contain the information set out in Annexes V and VI, the financial entity shall within 8 weeks submit the report summarising the relevant findings of the TLPT to the TLPT authority, as referred to in Article 26(6) of Regulation (EU) 2022/2554, containing the elements set out in Annex VII for approval.\n\nAt the request of the TLPT authority, the report referred to in the first subparagraph shall not contain sensitive information." }, { "number": "13", "title": "Remediation plan", "text": "1.   Within 8 weeks from the notification referred to in Article 12(7) of this Regulation, the financial entity shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authority and, where different, to the financial entity’s competent authority.\n\n2.   The remediation plan referred in paragraph 1 shall include, for each finding occurred in the framework of the TLPT:\n\n(a)\n\na description of the identified shortcomings;\n\n(b)\n\na description of the proposed remediation measures and of their prioritisation and expected completion, including, where relevant, measures to improve the identification, protection, detection and response capabilities;\n\n(c)\n\na root cause analysis;\n\n(d)\n\nthe financial entity’s staff or functions responsible for the implementation of the proposed remediation measures or improvements;\n\n(e)\n\nthe risks associated to not implementing the measures referred to in point (b) and, where relevant, risks associated to the implementation of such measures." }, { "number": "14", "title": "Attestation", "text": "1.   The attestation referred to in Article 26(7) of Regulation (EU) 2022/2554 shall contain the information set out in Annex VIII.\n\n2.   Where several TLPT authorities have been involved in a TLPT, the lead TLPT authority shall provide the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554 to the tested financial entities." }, { "number": "15", "title": "Use of internal testers", "text": "1.   Financial entities shall establish all of the following arrangements for the use of internal testers:\n\n(a)\n\nthe establishment and implementation of a policy for the management of internal testers in a TLPT;\n\n(b)\n\nmeasures to ensure that the use of internal testers to perform a TLPT does not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidents or significantly impacts the availability of resources devoted to ICT-related tasks during a TLPT;\n\n(c)\n\nmeasures to ensure that internal testers have sufficient resources and capabilities to perform a TLPT.\n\nThe policy referred to in point (a) shall:\n\n(a)\n\ncontain criteria to assess suitability, competence, potential conflicts of interest of the internal testers and specify management responsibilities in the testing process;\n\n(b)\n\nbe documented and periodically reviewed;\n\n(c)\n\nprovide that the internal testing team includes a test lead, and at least two additional members;\n\n(d)\n\nrequire that all members of the test team have been employed by the financial entity or by an ICT intra-group service provider for the preceding 12 months;\n\n(e)\n\ninclude provisions on training on how to perform penetration testing and red team testing of the internal testers.\n\n2.   Where a TLPT authority approves the use of internal testers in accordance with Article 27(2), point (a), of Regulation (EU) 2022/2554, the TLPT authority shall consider the requirements laid down in Article 7(1) of this Regulation.\n\n3.   When using internal testers, the financial entity shall ensure that such use is mentioned in the following documents:\n\n(a)\n\nthe test initiation information referred to in Article 9;\n\n(b)\n\nthe red team test report referred to in Article 12(2);\n\n(c)\n\nthe report summarising the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554.\n\n4.   Testers employed by an ICT intra-group service provider shall be considered as internal testers of the financial entity." }, { "number": "16", "title": "Cooperation and mutual recognition", "text": "1.   For the purposes of conducting a TLPT in relation to a financial entity providing services in more than one Member State, including through a branch, its TLPT authority shall:\n\n(a)\n\ndetermine which TLPT authorities in host Member States shall be involved, taking into account whether one or more critical or important functions are operated in, or shared across, host Member States;\n\n(b)\n\ninform the TLPT authorities identified in accordance with point (a) of the decision to carry out a TLPT test on the financial entity;\n\n(c)\n\nunless otherwise agreed by the TLPT authorities, the TLPT authority of the financial entity shall lead the TLPT.\n\nThe TLPT authorities of the host Member States may, within 20 working days from the receipt of the information on a future conduct of a TLPT, either express their interest in following the TLPT as observers or assign a test manager to participate in the TLPT. The lead TLPT authority shall provide all TLPT authorities acting as observers in TLPT with the scope specification document, the test summary report, remediation plan and attestation.\n\nThe lead TLPT authority shall coordinate all participating TLPT authorities throughout the test and adopt all the decisions necessary to carry out the TLPT appropriately and effectively. The lead TLPT authority may set a maximum number of participating TLPT authorities, where the efficient conduct of the TLPT might otherwise be compromised.\n\n2.   Where a financial entity uses the same ICT intra-group service provider as financial entities established in other Member States, or belongs to a group and shares ICT systems with financial entities of the same group established in other Member States, the TLPT authority of the financial entity shall contact the TLPT authorities of the other financial entities using the same ICT intra-group service provider or sharing ICT systems as part of the group and assess with them the feasibility and suitability of conducting a joint TLPT in their respect. A joint TLPT shall be preferred to an individual TLPT where it may result in reduction of costs and resources for the financial entities and for the TLPT authorities, provided that the soundness and efficacy of the testing is not prejudiced.\n\n3.   For the purposes of conducting a joint TLPT:\n\n(a)\n\nthe TLPT authorities of the financial entities shall agree on which financial entity shall be designated to conduct the TLPT, considering the group structure and the efficiency of the test;\n\n(b)\n\nthe TLPT authority of the financial entity designated in accordance with point (a) shall lead the TLPT, unless otherwise agreed by the TLPT authorities of the financial entities participating in the joint TLPT;\n\n(c)\n\nthe TLPT authorities of the financial entities other than the designated financial entity to lead the joint TLPT may either express their interest in following the TLPT as observers or assign a test manager for that TLPT.\n\nThe lead TLPT authority shall coordinate all TLPT authorities involved in the joint TLPT and adopt all the decisions necessary to carry out the joint TLPT in a sound and effective way.\n\n4.   Where a financial entity intends to conduct a pooled TLPT as referred to in Article 26(4) of Regulation (EU) 2022/2554 possibly involving financial entities established in other Member States, its TLPT authority shall contact the TLPT authorities of the other financial entities and assess with them the feasibility and suitability of conducting a pooled TLPT in their respect in accordance with Article 26(4) of Regulation (EU) 2022/2554.\n\n5.   For the purposes of conducting a pooled TLPT as referred to in Article 26(4) of Regulation (EU) 2022/2554:\n\n(a)\n\nthe TLPT authorities of the financial entities shall agree on which financial entity shall be designated to conduct of the pooled TLPT, considering the ICT services provided by the ICT third-party service provider to the financial entities and the efficiency of the test;\n\n(b)\n\nthe TLPT authority of the financial entity designated in accordance with point (a) shall lead the TLPT, unless otherwise agreed by the TLPT authorities of the financial entities participating in the pooled TLPT;\n\n(c)\n\nthe TLPT authorities of the financial entities other than the designated financial entity to lead the pooled TLPT may either express their interest in following the TLPT as observers or assign a test manager to that TLPT.\n\nThe lead TLPT authority shall coordinate all TLPT authorities involved in the pooled TLPT and adopt all the decisions necessary to carry out the pooled TLPT in a sound and effective way.\n\n6.   Where, in relation to a financial entity required to perform a TLPT, its TLPT authority differs from its competent authority as referred to in Article 46 of Regulation (EU) 2022/2554, those authorities shall share any relevant information in respect of all TLPT-related matters for the purposes of carrying out the TLPT or to carry out their duties in accordance with that Regulation." }, { "number": "17", "title": "Entry into force", "text": "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Brussels, 13 February 2025.\n\nFor the Commission\n\nThe President\n\nUrsula VON DER LEYEN\n\n(1)\n\nOJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj.\n\n(2)  Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj).\n\n(3)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).\n\n(4)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj).\n\n(5)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).\n\n(6)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).\n\n(7)  Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338, ELI: http://data.europa.eu/eli/dir/2013/36/oj).\n\n(8)  Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj).\n\n(9)  Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349, ELI: http://data.europa.eu/eli/dir/2014/65/oj).\n\n(10)  Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84, ELI: http://data.europa.eu/eli/reg/2014/600/oj).\n\n(11)  Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1, ELI: http://data.europa.eu/eli/dir/2009/138/oj).\n\nANNEX I\n\nContent of the project charter (Article 9(2)(a))\n\nItem of information\n\nInformation required\n\nPerson responsible for the project plan, i.e. the Control Team Lead\n\nName\n\nContact details\n\nTesters\n\n☐\n\ninternal\n\n☐\n\nexternal\n\n☐\n\nboth\n\nCommunication channels selected in accordance with Article 9(2), point (d), and Article 9(4) point (a), including:\n\n(a)\n\nemail encryption to be used\n\n(b)\n\nonline data rooms to be used\n\n(c)\n\ninstant messaging to be used\n\nCodename for the TLPT\n\nIf any, critical or important functions the financial entity operates in other Member States\n\n1.\n\nlist of critical or important functions operated in another Member State\n\n2.\n\nfor each critical or important function, indication of the Member State or States in which they are operated\n\nIf any, critical or important functions supported by ICT third party service providers\n\n3.\n\nlist of critical or important functions supported by ICT third-party service providers\n\n4.\n\nfor each function, identification of the ICT third party service provider\n\nExpected deadlines for the completion of the:\n\n(1)\n\nPreparation Phase, in accordance with Article 9\n\nyyyy-mm-dd\n\n(2)\n\nTesting Phase, in accordance with Articles 10 and 11\n\nyyyy-mm-dd\n\n(3)\n\nClosure Phase, in accordance with Article 12\n\nyyyy-mm-dd\n\n(4)\n\nRemediation plan in accordance with Article 13\n\nyyyy-mm-dd\n\nANNEX II\n\nContent of the scope specification document (Article 9(6))\n\n1.\n\nThe scope specification document shall contain a list of all critical or important functions identified by the financial entity.\n\n2.\n\nFor each identified critical or important function, the following information shall be included:\n\n(a)\n\nwhere the critical or important function is not included in the scope of the TLPT, the explanation of the reasons for which it is not included;\n\n(b)\n\nwhere the critical or important function is included in the scope of the TLPT:\n\n(i)\n\nthe explanation of the reasons for its inclusion;\n\n(ii)\n\nthe identified ICT system(s) supporting that critical or important function;\n\n(iii)\n\nfor each identified ICT system:\n\n1.\n\nwhether it is outsourced and if so, the name of the ICT third party service provider;\n\n2.\n\nthe jurisdictions in which the ICT system is used;\n\n3.\n\na high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.\n\nANNEX III\n\nContent of the targeted threat intelligence report (Article 10(5))\n\nThe targeted threat intelligence report shall contain information on all of the following:\n\n1.\n\nThe overall scope of the intelligence research including at least the following:\n\n(a)\n\ncritical or important functions in scope;\n\n(b)\n\ntheir geographical location;\n\n(c)\n\nofficial EU language in use;\n\n(d)\n\nrelevant ICT third party services providers;\n\n(e)\n\nperiod of time over which the research is gathered.\n\n2.\n\nThe overall assessment of what concrete actionable intelligence can be found about the financial entity, including:\n\n(a)\n\nthe employee usernames and passwords;\n\n(b)\n\nthe look-alike domains which can be mistaken for official domains of the financial entity;\n\n(c)\n\ntechnical reconnaissance: vulnerable or exploitable software, systems and technologies;\n\n(d)\n\ninformation posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;\n\n(e)\n\ninformation for sale on the dark web;\n\n(f)\n\nany other relevant information available on the internet or public networks;\n\n(g)\n\nwhere relevant, physical targeting information, including ways of access to the premises of the financial entity.\n\n3.\n\nThreat intelligence analysis considering the general threat landscape and the particular situation of the financial entity, including, at least:\n\n(a)\n\nthe geopolitical environment;\n\n(b)\n\nthe economic environment;\n\n(c)\n\ntechnological trends and any other trends related to the activities in the financial services sector.\n\n4.\n\nThreat profiles of the malicious actors (specific individual/group or generic class) that may target the financial entity, including the systems of the financial entity that malicious actors are most likely to compromise or target, the possible motivation, intent and rationale for the potential targeting and the possible modus operandi of the attackers.\n\n5.\n\nThreat scenarios: at least three end-to-end threat scenarios for the threat profiles identified in accordance with point 4 who exhibit the highest threat severity scores. The threat scenarios shall describe the end-to-end attack path and shall include, at least:\n\n(a)\n\none scenario that includes but is not limited to compromised service availability;\n\n(b)\n\none scenario that includes but is not limited to compromised data integrity;\n\n(c)\n\none scenario that includes but is not limited to compromised information confidentiality.\n\n6.\n\nWhere relevant, a description of the non-threat-led scenario referred to in Article 10(4).\n\nANNEX IV\n\nContent of the red team test plan (Article 11(1))\n\nThe red team test plan shall contain information on all of the following:\n\n(a)\n\ncommunication channels and procedures;\n\n(b)\n\nthe tactics, techniques and procedures allowed and not-allowed for use in the attack, including ethical boundaries for social engineering;\n\n(c)\n\nthe risk management measures to be followed by the testers;\n\n(d)\n\na description for each scenario, including:\n\n(i)\n\nthe simulated threat actor;\n\n(ii)\n\ntheir intent, motivation and goals;\n\n(iii)\n\nthe target function(s) and the supporting ICT system or systems;\n\n(iv)\n\nthe targeted confidentiality, integrity, availability and authenticity aspects;\n\n(v)\n\nflags;\n\n(e)\n\na detailed description of each expected attack path, including pre-requisites and possible leg-ups to be provided by the control team, including deadlines for their provision and potential usage;\n\n(f)\n\nthe scheduling of red teaming activities, including time planning for the execution of each scenario, at a minimum split according to the three phases a tester takes throughout the testing phase, respectively entering financial entities’ ICT systems, moving through the ICT systems and ultimately executing actions on objectives and eventually extracting itself from the ICT systems (in, through, and out phases);\n\n(g)\n\nparticularities of the financial entities’ infrastructure to be considered during testing;\n\n(h)\n\nif any, additional information or other resources necessary to the testers for executing the scenarios.\n\nANNEX V\n\nContent of the red team test report (Article 12(2))\n\nThe red team test report shall contain information on at least all of the following:\n\n(a)\n\ninformation on the performed attack, including:\n\n(i)\n\nthe targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;\n\n(ii)\n\nsummary of each scenario;\n\n(iii)\n\nflags reached and not reached;\n\n(iv)\n\nattack paths followed successfully and unsuccessfully;\n\n(v)\n\ntactics, techniques and procedures used successfully and unsuccessfully;\n\n(vi)\n\ndeviations from the red team test plan, if any;\n\n(vii)\n\nleg-ups granted, if any;\n\n(b)\n\nall actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;\n\n(c)\n\ndiscovered vulnerabilities and other findings, including:\n\n(i)\n\nvulnerability and other finding description including their criticality;\n\n(ii)\n\nroot cause analysis of successful attacks;\n\n(iii)\n\nrecommendations for remediation including indication of the remediation priority.\n\nANNEX VI\n\nContent of the blue team test report (Article 12(4))\n\nThe blue team test report shall contain information on at least all of the following:\n\n1.\n\nfor each attack step described by the testers in the red team test report:\n\n(a)\n\nlist of detected attack actions;\n\n(b)\n\nlog entries corresponding to these detections;\n\n2.\n\nassessment of the findings and recommendations of the testers;\n\n3.\n\nevidence of the attack by the testers collected by the blue team;\n\n4.\n\nblue team root cause analysis of successful attacks by the testers;\n\n5.\n\nlist of lessons learned and identified potential for improvement;\n\n6.\n\nlist of topics to be addressed in purple teaming.\n\nANNEX VII\n\nDetails of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554\n\nThe test summary report shall contain information on at least all of the following:\n\n(a)\n\nthe parties involved;\n\n(b)\n\nthe project plan;\n\n(c)\n\nthe validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes, and technologies supporting the critical or important functions covered by the TLPT;\n\n(d)\n\nselected scenarios and any significant deviation from the targeted threat intelligence report;\n\n(e)\n\nexecuted attack paths, and used tactics, techniques and procedures;\n\n(f)\n\ncaptured and non-captured flags;\n\n(g)\n\ndeviations from the red team test plan, if any;\n\n(h)\n\nblue team detections, if any;\n\n(i)\n\npurple teaming in testing phase, where conducted and the related conditions;\n\n(j)\n\nleg-ups used, if any;\n\n(k)\n\nrisk management measures taken;\n\n(l)\n\nidentified vulnerabilities and other findings, including their criticality;\n\n(m)\n\nroot cause analysis of successful attacks;\n\n(n)\n\nhigh level plan for remediation, linking the vulnerabilities and other findings, their root causes and remediation priority;\n\n(o)\n\nlessons derived from feedback received.\n\nANNEX VIII\n\nDetails of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554\n\nThe attestation shall contain at least all of the following information:\n\n(a)\n\non the performed TLPT:\n\n(i)\n\nthe starting and end dates of the TLPT;\n\n(ii)\n\nthe critical or important functions in scope of the test;\n\n(iii)\n\nwhere relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;\n\n(iv)\n\nwhere relevant, other financial entities that were involved in the TLPT;\n\n(v)\n\nwhere relevant, the ICT third-party services providers that participated in the TLPT;\n\n(vi)\n\nin respect of testers:\n\n1.\n\nwhether internal testers were used;\n\n2.\n\nwhether Article 5(3), second subparagraph, was used by the financial entity;\n\n(vii)\n\nthe duration, in calendar days, of the active red team testing phase;\n\n(b)\n\nwhere several TLPT authorities have been involved in the TLPT, the other TLPT authorities, and in which capacity;\n\n(c)\n\nlist of the documents examined by the TLPT authority for the purposes of the attestation.\n\nELI: http://data.europa.eu/eli/reg_del/2025/1190/oj\n\nISSN 1977-0677 (electronic edition)\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});" } ], "definitions": [ { "term": "control team", "definition": "the team composed of staff of the tested financial entity and, where relevant in consideration of the scope of the TLPT, staff of its third-party service providers and any other party, who manages the test;", "article": "1" }, { "term": "control team lead", "definition": "the staff member of the financial entity responsible for the conduct of all TLPT-related activities for the financial entity in the context of a given test;", "article": "1" }, { "term": "blue team", "definition": "the staff of the financial entity and, where relevant, staff of the financial entity's third-party service providers and any other party deemed relevant in consideration of the scope of the TLPT, of the financial entity's third-party service providers, that are defending a financial entity's use of network and information systems by maintaining its security posture against simulated or real attacks and that is not aware of the TLPT;", "article": "1" }, { "term": "blue team tasks", "definition": "tasks that are typically carried out by the blue team such as security operation centre (SOC), ICT infrastructure services, helpdesk services, incident management services at operational level;", "article": "1" }, { "term": "red team", "definition": "the testers, internal or external, contracted for, or assigned to, a TLPT;", "article": "1" }, { "term": "purple teaming", "definition": "a collaborative testing activity that involves both the testers and the blue team;", "article": "1" }, { "term": "tlpt authority", "definition": "any of the following: (a) the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554; (b) the authority in the financial sector to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554; (c) any of the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554;", "article": "1" }, { "term": "tlpt cyber team", "definition": "the staff within the TLPT authorities that is responsible for TLPT-related matters;", "article": "1" }, { "term": "test managers", "definition": "staff designated to lead the activities of the TLPT authority for a specific TLPT to monitor compliance with this Regulation;", "article": "1" }, { "term": "threat intelligence provider", "definition": "the experts, contracted by the financial entity for each TLPT, and external to the financial entity and to ICT intra-group service providers if any, who collect and analyse targeted threat intelligence relevant for the financial entities in scope of a specific TLPT exercise and develop matching relevant and realistic threat scenarios;", "article": "1" }, { "term": "tlpt providers", "definition": "testers and threat intelligence providers;", "article": "1" }, { "term": "leg-up", "definition": "the assistance or information provided by the control team to the testers to enable the testers to continue the execution of an attack path where they are not able to advance on their own, and where no other reasonable alternative exists, including for insufficient time or resources in a given TLPT;", "article": "1" }, { "term": "attack path", "definition": "the route followed by testers during the active red team testing phase of the TLPT to reach the flags specified for that TLPT;", "article": "1" }, { "term": "sensitive information", "definition": "information that can readily be leveraged to carry out attacks against the ICT systems of the financial entity, intellectual property, confidential business data, or personal data, that can directly or indirectly harm the financial entity and its ecosystem would it fall in the hands of malicious actors;", "article": "1" }, { "term": "pool", "definition": "all the financial entities participating in a pooled TLPT pursuant to Article 26(4) of Regulation (EU) 2022/2554;", "article": "1" }, { "term": "host member state", "definition": "the host Member State in accordance with the Union sectoral law applicable to each financial entity;", "article": "1" }, { "term": "joint tlpt", "definition": "a TLPT, other than a pooled TLPT as referred to in Article 26(4) of Regulation (EU) 2022/2554, involving several financial entities using the same ICT intra-group service provider, or belonging to the same group and sharing ICT systems.", "article": "1" } ], "recitals": [ { "recital_number": 1, "text": "This Regulation has been drafted in accordance with the TIBER-EU framework and mirrors the methodology, process and structure of threat-led penetration testing (TLPT) as described in TIBER-EU. Financial entities subject to TLPT may refer to and apply the TIBER-EU framework, or one of its national implementations, in as much as that framework or implementation is consistent with the requirements set out in Articles 26 and 27 of Regulation (EU) 2022/2554 and this Regulation. The designation of a single public authority in the financial sector that is responsible for TLPT-related matters at national level in accordance with Article 26(9) of Regulation (EU) 2022/2554 should be without prejudice to the competence of competent authorities entrusted at Union level for the supervision of certain financial entities in accordance with Article 46 of that Regulation such as, for instance, the European Central Bank for significant credit institutions which are to be considered competent for TLPT-related matters. Where only some of the tasks related to TLPTs are delegated to another national authority in the financial sector pursuant to Article 26(10) of Regulation (EU) 2022/2554, the competent authority of the financial entity referred to in Article 46 of that Regulation should remain the authority for the TLPT-related tasks that have been not delegated." }, { "recital_number": 2, "text": "Considering the complexity of the TLPT and the risks relating to it, its use should be restricted to those financial entities for which it is justified. Hence, authorities responsible for TLPT matters (TLPT authorities, either at Union or national level) should exclude from the scope of TLPT those financial entities that operate in core financial services subsectors for which a TLPT is not justified. That means that credit institutions, payment and electronic money institutions, central security depositories, central counterparties, trading venues, insurance and reinsurance undertakings, even though they meet the quantitative criteria, could be released from the requirement of TLPT in light of an overall assessment of their ICT risk profile and maturity, impact on the financial sector, and related financial stability concerns." }, { "recital_number": 3, "text": "TLPT authorities should assess, in light of an overall assessment of the ICT risk profile and maturity, of the impact on the financial sector, and of related financial stability concerns, whether any type of financial entity other than credit institutions, payment institutions, electronic money institutions, central counterparties, central securities depositories, trading venues, insurance and reinsurance undertakings should be subject to TLPT. The assessment of whether such financial entities meet those qualitative criteria should aim at identifying financial entities for which TLPT is appropriate by using cross-sector and objective indicators. At the same time, the assessment of whether a financial entity meets those qualitative criteria should limit the entities subject to TLPT to those for which the testing is justified. Whether a financial entity meets those qualitative criteria should also be assessed in the light of new markets development and of the increasing importance of new market participants for the financial sector in the future, including crypto asset service providers authorised in accordance with Article 59 of Regulation (EU) 2023/1114 of the European Parliament and of the Council (2)." }, { "recital_number": 4, "text": "Financial entities may have the same ICT intra-group service provider or may belong to the same group and rely on the use of shared ICT systems. In that case, it is important that TLPT authorities consider the structure and systemic character or importance for the financial sector of that financial entity at national or Union level in the assessment of whether a financial entity should be subject to TLPT and of whether the TLPT should be conducted at entity level or at group level (through a joint TLPT)." }, { "recital_number": 5, "text": "To mirror the TIBER-EU framework, it is necessary that the testing methodology provides for the involvement of the following main participants: the financial entity, with a control team (mirroring the TIBER-EU ‘control team’) and a blue team (mirroring the TIBER-EU ‘blue team’), and the TLPT authority, in the form of a TLPT cyber team (mirroring the TIBER-EU ‘TIBER cyber teams’), a threat intelligence provider, and testers (whereby the testers mirror the TIBER-EU ‘red team provider’)." }, { "recital_number": 6, "text": "To ensure that the TLPT benefits from the experience developed in the framework of TIBER-EU implementation and to reduce the risks associated to the performance of TLPT, it should be ensured that the responsibilities of the TLPT cyber teams to be set up at the level of TLPT authorities match as closely as possible those of the TIBER-EU cyber teams. Hence, the TLPT cyber teams should have test managers that are responsible for overseeing individual TLPTs and for planning and coordinating individual tests. TLPT cyber teams should serve as a single point of contact for test-related communication to internal and external stakeholders, for collecting and processing feedback and lessons learned from previously conducted tests, and for supporting financial entities undergoing TLPT testing." }, { "recital_number": 7, "text": "To mirror the TIBER-EU framework methodology, test managers should have the skills and capabilities necessary to provide advice and to challenge tester proposals. Experience under the TIBER-EU framework has proven that it is valuable to have a team of at least two test managers assigned to each test. To reflect that the TLPT is used to encourage the learning experience, to safeguard the confidentiality of tests, and unless they have resources or expertise issues, TLPT authorities are strongly encouraged to consider that, for the duration of a TLPT, test managers should not conduct supervisory activities on the same financial entity undergoing a TLPT." }, { "recital_number": 8, "text": "It is important, for consistency with the TIBER-EU framework, that the TLPT authority closely follows the testing in each of its stages. Considering the nature of the testing and the risks associated to it, it is fundamental that the TLPT authority is involved in each specific phase of the testing. In particular, the TLPT authority should be consulted and should validate those assessments or decisions of the financial entities that may, on the one hand, influence the effectiveness of the test and, on the other hand, have an impact on the risks associated with the test. The fundamental steps on which a specific involvement of the TLPT authority is necessary include the validation of certain fundamental documentation of the testing, and the selection of threat intelligence providers and testers and risk management measures. The involvement of the TLPT authorities, and in particular for validations, should not result in an excessive burden for those authorities and should therefore be limited to those documentation and decisions that directly affect the conduct of the TLPT. Through the active participation in each phase of the testing, the TLPT authorities may effectively assess compliance of the financial entities with the relevant requirements, which should allow those authorities to issue attestations pursuant to Article 26(7) of Regulation (EU) 2022/2554." }, { "recital_number": 9, "text": "The secrecy of TLPT is of utmost importance to ensure that the conditions of the testing are realistic. For that reason, testing should be covert, and precautions should be taken to keep the TLPT confidential, including the choice of codenames that should be designed to prevent the identification of the TLPT by third parties. Should staff members responsible for the security of the financial team be aware of a planned or ongoing TLPT, it is likely that they would be more observant and alert than during normal working conditions, thereby resulting in an altered outcome of the testing. Staff members of the financial entity outside of the control team should therefore only be made aware of any planned or ongoing TLPT where there are cogent reasons and subject to the prior agreement of the test managers, inter alia to ensure the secrecy of the test in case a blue team member has detected the testing." }, { "recital_number": 10, "text": "As evidenced through the experience gathered in the TIBER-EU framework with respect to the ‘control team’, the selection of an adequate control team lead is indispensable for the safe conduct of TLPT. The control team lead should have the necessary mandate within the financial entity to guide all the aspects of the testing, without compromising its confidentiality. For the same reason, members of the control team should have a deep knowledge of the financial entity, of the control team lead’s job role and strategic positioning, should have the required seniority and should have access to the management board. To reduce the risk of compromising the TLPT, the control team should be as small as possible." }, { "recital_number": 11, "text": "There are inherent elements of risks associated with TLPT as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data. Those risks highlight the need for robust risk management measures. To ensure that the TLPT is conducted in a controlled manner all along the testing, it is very important that financial entities are at all points aware of the particular risks that arise in a TLPT and that those risk are mitigated. In that respect, without prejudice to the internal processes of the financial entity and the responsibility and delegations already provided to the control team lead, information about the TLPT risk management measures, or, in particular cases the approval of those risk management measures by the financial entity’s management body itself, may be appropriate. To be able to deliver effective and most qualified professional services and to reduce those risks, it is also essential that the testers and threat intelligence providers (together, the TLPT providers) have the highest level of skills, expertise, and an appropriate experience in threat intelligence and TLPT in the financial services industry." }, { "recital_number": 12, "text": "Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but unlike intelligence led red team test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providers, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red team tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence providers, always external. Where the TLPT providers belong to the same company, the staff assigned to a TLPT should be adequately separated." }, { "recital_number": 13, "text": "There may be exceptional circumstances where financial entities are unable to contract TLPT providers that meet the comprehensive criteria. Financial entities, upon evidencing the unavailability of such threat intelligence providers, should therefore be allowed to engage persons who do not satisfy all comprehensive criteria, provided that they properly mitigate any resultant additional risks and that the TLPT authority assesses all those criteria." }, { "recital_number": 14, "text": "Where several financial entities and several TLPT authorities are involved in a TLPT, the roles of all parties in the TLPT process should be specified to conduct the most efficient and safe test. For the purposes of pooled testing, specific requirements are necessary to specify the role of the designated financial entity, namely that it should be in charge of providing all necessary documentation to the lead TLPT authority and of monitoring the test process. The designated financial entity should also be in charge of the common aspects of the risk management assessment. Notwithstanding the role of the designated financial entity, the obligations of each financial entity participating to the pooled TLPT process should remain unaffected during the pooled test. The same principle should apply for joint TLPTs." }, { "recital_number": 15, "text": "As evidenced by the experience of the implementation of the TIBER-EU framework, holding in-person or virtual meetings including all stakeholders concerned (financial entities, authorities, testers and threat intelligence providers) is the most efficient way to ensure the appropriate conduct of the testing. In-person and virtual meetings should therefore be held at various steps of the process, and in particular during the preparation phase at the launch of the TLPT and to finalise on its scope, during the testing phase, to finalise the threat intelligence report and the red team test plan and for the weekly updates, and during the closure phase for replaying testers and blue team actions, purple teaming and to exchange feedback on the TLPT." }, { "recital_number": 16, "text": "To ensure the smooth performance of the TLPT, the TLPT authority should clearly present to the financial entity its expectations with respect to the testing. In that respect, the test managers should ensure that an appropriate flow of information is established with the control team within the financial entity, and with the TLPT providers." }, { "recital_number": 17, "text": "The financial entity should select the critical or important functions that will be in scope of the TLPT. When selecting those functions, the financial entity should base itself on various criteria relating to the importance of each function for the financial entity itself and for the financial sector, at Union and at national level, not only in economic terms but also considering the symbolic or political status of the function. To facilitate a smooth transition to the phase of threat intelligence gathering, the control team should provide the testers and threat intelligence provider that are not involved in the scoping process with detailed information on the agreed scoping." }, { "recital_number": 18, "text": "To provide the testers with the information needed to simulate a real-life and realistic attack on the financial entity’s live systems underpinning its critical or important functions, the threat intelligence provider should collect intelligence or information that cover at least two key areas of interest: the targets, by identifying potential attack surfaces across the financial entity, and the threats, by identifying relevant threat actors and probable threat scenarios. To ensure that the threat intelligence provider considers the relevant threats for the financial entity, the testers, the control team, and the test managers should provide feedback the draft threat intelligence report. If it is available, the threat intelligence provider may use a generic threat landscape provided by the TLPT authority for the financial sector of a Member State as a baseline for the national threat landscape. Based on the TIBER-EU framework application, the threat intelligence gathering process typically lasts approximately 4 weeks." }, { "recital_number": 19, "text": "To enable the testers to gain insight and further review the scope specification document and targeted threat intelligence report to finalise the red team testing plan, it is essential that, prior to the red team testing phase of the TLPT, the testers receive from the threat intelligence provider detailed explanations on the targeted threat intelligence report and analysis of possible threat scenarios." }, { "recital_number": 20, "text": "To enable testers to conduct a realistic and comprehensive testing in which all attack phases are executed and flags are reached, sufficient time should be allocated to the active red team testing phase. On the basis of the experience gathered with the TIBER-EU framework, the time allocated should be at least 12 weeks and should be determined taking into account the number of parties involved, the TLPT scope, the resources of the involved financial entity or entities, any external requirements, and the availability of supporting information supplied by the financial entity." }, { "recital_number": 21, "text": "During the active red team testing phase, the testers should deploy a range of tactics, techniques, and procedures (TTPs) to adequately test the live production systems of the financial entity. The TTPs should contain, as appropriate, reconnaissance (i.e. collecting as much information as possible on a target), weaponization (i.e. analysing information on the infrastructure, facilities, and employees and preparing for the operations specific to the target), delivery (i.e. the active launch of the full operation on the target), exploitation (i.e. where the testers’ goal is to compromise the servers, networks of the financial entity and exploit its staff through social engineering), control and movement (i.e. attempts to move from the compromised systems to further vulnerable or high value ones), and actions on target (i.e. gaining further access to compromised systems and acquiring access to the previously agreed target information and data, as previously agreed in the red team test plan)." }, { "recital_number": 22, "text": "While carrying out a TLPT, testers should act considering the time available to perform the attack, resources, and ethical and legal boundaries. Should the testers be unable to progress to the programmed next stage of the attack, occasional assistance should be provided by the control team, upon agreement of the TLPT authority, in the form of ‘leg-ups’. Leg-ups can broadly be categorised in information and access leg-ups and may consist of the provision of access to ICT systems or internal networks to continue with the test and focus on the following attack steps." }, { "recital_number": 23, "text": "During the active red teaming in the testing phase, if necessary to allow for the continuation of the TLPT as a last resort in exceptional circumstances and once all alternative options have been exhausted, a collaborative testing activity that involves both the testers and the blue team, should be used. In the context of such limited purple teaming exercise, the following methods can be used: ‘catch-and-release’, where testers attempt to continue the scenarios, get detected and then resume the testing, ‘war gaming’, which allows for more complex scenarios to test strategic decision-making, or ‘collaborative proof-of-concept’ which enables testers and blue team members to jointly validate specific security measures, tools, or techniques in a controlled and cooperative environment." }, { "recital_number": 24, "text": "The TLPT should be used as a learning experience to enhance the digital operational resilience of financial entities. In that respect, the blue team and testers should replay the attack and review the steps taken to learn from the testing experience in collaboration with the testers. For that purpose and to allow for adequate preparation, the red team test report and the blue team test report should be made available to all parties involved in the replay activities, prior to conducting any replay activities. Additionally, a purple teaming exercise, in the closure phase, should be carried out to maximise the learning experience. Methods that may be used for purple teaming in the closure phase should include discussions of alternative attack scenarios, exploration on live systems of alternative scenarios or the re-exploration of planned scenarios on live systems that the testers had been unable to complete or execute during the testing phase." }, { "recital_number": 25, "text": "To further facilitate the learning experience of all parties involved in the TLPT, for the benefit of future tests, and to further the digital operational resilience of financial entities, the parties concerned should provide feedback to each other on the overall process, and in particular identify which activities progressed well or could have been improved, and which aspects of the TLPT process worked well or could be improved." }, { "recital_number": 26, "text": "The competent authorities referred to in Article 46 of Regulation (EU) 2022/2554 and TLPT authorities, where different, should cooperate to incorporate advanced testing by means of TLPT into the existing supervisory processes. In that respect and to share the correct understanding of the TLPT findings and of how they should be interpreted, it is appropriate that, in particular for the test summary report and remediation plans, a close cooperation between test managers who were involved in the TLPT and the responsible supervisors is established." }, { "recital_number": 27, "text": "Article 26(8), first subparagraph, of Regulation (EU) 2022/2554 requires from financial entities that they contract external testers every three tests. Where financial entities include in the team of testers both internal and external testers, that should be considered as a TLPT performed with internal testers for the purposes of that Article." }, { "recital_number": 28, "text": "This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority, the European Securities and Markets Authority (European Supervisory Authorities), in agreement with the European Central Bank." }, { "recital_number": 29, "text": "The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (3), the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (4), and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5)." }, { "recital_number": 30, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered an opinion on 20 August 2024,\n\nHAS ADOPTED THIS REGULATION:" }, { "recital_number": 30, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered an opinion on 20 August 2024,\n\nHAS ADOPTED THIS REGULATION:" } ], "effective_date": "2025-01-17" }