Article 13Note: This article is based on the final draft from the ESAs and is not yet adopted. Use of internal testers
-
Financial entitiesas defined in Article 2, points (a) to (t) shall establish all of the following arrangements for the use of internal testers:
-
the definition and implementation of a policy for the management of internal testers in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Such policy shall:
-
include criteria to assess suitability, competence, potential conflicts of interest of the internal testers and define management responsibilities in the testing process. The policy shall be documented and periodically reviewed;
-
provide that the internal testing team includes a test lead, and at least two additional members. The policy shall require that all members of the test team have been employed by the financial entity or by an ICT intra-group service provideran undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control for the preceding 12 months;
-
include provisions on training on how to perform penetration testing and red team testing of the internal testers.
-
-
measures to ensure that the use of internal testers to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems will not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity or significantly impact the availability of resources devoted to ICT-related tasks during a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;
-
measures to ensure that internal testers have sufficient resources and capabilities available to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems in accordance with this Regulation;
-
when a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority approves the use of internal testers according to Article 27(2)(a) of Regulation (EU) 2022/2554, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider the requirements laid down in Article 5(2) of this Regulation.
-
-
When using internal testers, the financial entity shall ensure that such use is mentioned in the following documents:
-
the test initiation documents referred to in Article 8;
-
the red team test report referred to in Article 11(2);
-
the report summarizing the relevant findings of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems referred to in Article 26(6) of Regulation (EU) 2022/2554.
-
-
For the purposes of this Regulation, testers employed by an ICT intra-group service provideran undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control shall be considered as internal testers of the financial entity.