Identification of financial entities required to perform TLPT


  1. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall require all of the following financial entitiesas defined in Article 2, points (a) to (t) to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems:

    1. Credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council identified as global systemically important institutions (G-SIIs) in accordance with Article 131 of Directive 2013/36/EU of the European Parliament and of the Council (15)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). or as other systemically important institutions (O-SIIs) or that are part of a G-SIIs or O-SIIs.

    2. Payment institutionsa payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 of the European Parliament and of the Council (16)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35)..

    3. Electronic money institutionsan electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 or EUR 40 billion of total value of the amount of outstanding electronic money.

    4. Central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;

    5. Central counterpartiesa central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;

    6. Trading venuesa trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU with an electronic trading system that meet at least one of the following criteria:

      1. the trading venuea trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU with the highest market share in terms of turnover at national level in each of the preceding two financial years in one or more of the following:

        1. transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU of the European Parliament and of the Council (17)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173 12.6.2014, p. 349).;

        2. transferable securities as defined in point (44)(b) of Article 4(1) of Directive 2014/65/EU;

        3. derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014 of the European Parliament and of the Council (18)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173 12.6.2014, p. 84).;

        4. structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;

        5. emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;,

      2. the trading venuea trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU whose market share in terms of turnover at Union level exceeds 5% in each of the preceding two financial years in one or more of the following:

        1. transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU (19)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173 12.6.2014, p. 349).,

        2. transferable securities as defined in point (44)(b) of Article 4(1) of directive Directive 2014/65/EU,

        3. derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014,

        4. structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;

        5. emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;

      For the purposes of point (ii) of this point (f), where the trading venuea trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU is part of a groupa group as defined in Article 2, point (11), of Directive 2013/34/EU using common ICT systems or the same ICT intra-group service provideran undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control, the turnover of the securities and derivatives contracts on all trading venuesa trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU pertaining to the same groupa group as defined in Article 2, point (11), of Directive 2013/34/EU and established in the Union shall be considered.

    7. Insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC that meet all the following criteria:

      1. gross written premium (GWP) exceeding EUR 1 500 000 000;

      2. technical provisions exceeding EUR 10 000 000 000;

      3. in case of life insurance undertakingsan insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC, as referred to in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council (20)Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (recast) (OJ L 335, 17/12/2009, p. 1)., and of insurance undertakingsan insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC pursuing both life and non-life activities, total assets exceeding 3.5% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC established in the Member State.

      TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall create a subset of all insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC by applying the criteria listed in the first subparagraph. Insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC included in this subset shall be required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems where they also meet one or more of the following criteria:

      1. gross written premium (GWP) exceeding EUR 3 000 000 000;

      2. technical provisions exceeding EUR 30 000 000 000;

      3. total assets exceeding 10% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC established in the Member State.

  2. Financial entitiesas defined in Article 2, points (a) to (t) referred to in points (a) to (g) of paragraph 1 shall not be required to carry out TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems where the assessment of the criteria listed in paragraph 4 indicates that the impact of the financial entity, financial stability concerns relating to it or its ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile do not justify the performance of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

  3. Where more than one financial entity belonging to the same groupa group as defined in Article 2, point (11), of Directive 2013/34/EU and using common ICT systems, or where more than one financial entity using the same ICT intra-group service provideran undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control meet the criteria set out in points (a) to (g) of paragraph 1, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities of these financial entitiesas defined in Article 2, points (a) to (t) shall decide if the requirement to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems on an individual basis is relevant for these financial entitiesas defined in Article 2, points (a) to (t), in accordance with Article 14(2). Where the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority of the parent undertakinga parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU of such groupa group as defined in Article 2, point (11), of Directive 2013/34/EU is different from the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority(ies) of the financial entitiesas defined in Article 2, points (a) to (t) referred to in the first subparagraph, it shall be consulted.

  4. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities shall assess whether any financial entitiesas defined in Article 2, points (a) to (t) other than those referred to in paragraph 1 shall be required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, taking into account their impact, systemic character and ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile, assessed on the basis of all of the following criteria:

    1. impact-related and systemic character related factors:

      1. the size of the financial entity, determined taking into account whether the financial entity provides financial services in the national or Union market and by comparing the activities of the financial entity to those of other financial entitiesas defined in Article 2, points (a) to (t) providing similar services. Where possible, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider the market share position at national and EU level, the range of activities offered by the financial entity and the market share of the services provided or of the activities undertaken at national and at Union level;

      2. the extent and nature of the interconnectedness of the financial entity with other financial entitiesas defined in Article 2, points (a) to (t) in the financial sector at national and Union level;

      3. the criticality or importance of the services provided to the financial sector;

      4. the substitutability of the services provided by the financial entity;

      5. the complexity of the business model of the financial entity and the related services and processes. Where possible, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall consider whether the financial entity operates more than one business models and the interconnectedness of different business processes and the related services;

      6. whether the financial entity is part of a groupa group as defined in Article 2, point (11), of Directive 2013/34/EU of systemic character at Union or national level in the financial sector and using common ICT systems;

    2. ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment related factors:

      1. the risk profile of the financial entity;

      2. the threat landscape of the financial entity;

      3. the degree of dependence of critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law or their supporting functions of the financial entity on ICT systems and processes;

      4. the complexity of the ICT architecture of the financial entity;

      5. the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and functions supported by ICT third-party service providersan undertaking providing ICT services, the quantity and type of contractual arrangements with ICT third-party service providersan undertaking providing ICT services or ICT intra-group service providersan undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;

      6. outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity;

      7. the maturity of ICT business continuity plans and ICT response and recovery plans;

      8. the maturity of the operational ICT security detection and mitigation measures including the ability to monitor the financial entity’s ICT infrastructure on a permanent basis, to detect ICT-related events in real time, to analyse events, to respond to them in a timely and effective manner;

      9. whether the financial entity is part of a groupa group as defined in Article 2, point (11), of Directive 2013/34/EU active in the financial sector at Union or national level and using common ICT systems.