Recital 60

Safeguards for pooled testing


Pooled testing within the meaning of this Regulation – involving the participation of several financial entitiesas defined in Article 2, points (a) to (t) in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and for which an ICT third-party service provideran undertaking providing ICT services can directly enter into contractual arrangements with an external tester – should be allowed only where the quality or security of services delivered by the ICT third-party service provideran undertaking providing ICT services to customers that are entities falling outside the scope of this Regulation, or the confidentiality of the data related to such services, are reasonably expected to be adversely impacted. Pooled testing should also be subject to safeguards (direction by one designated financial entity, calibration of the number of participating financial entitiesas defined in Article 2, points (a) to (t)) to ensure a rigorous testing exercise for the financial entitiesas defined in Article 2, points (a) to (t) involved which meet the objectives of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems pursuant to this Regulation.