TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authorities should assess, in light of an overall assessment of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile and maturity, of the impact on the financial sector and related financial stability concerns, whether any type of financial entity other than credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council, payment institutionsa payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366, electronic money institutionsan electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council, central counterpartiesa central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012, central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014, trading venuesa trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU, insurance and reinsurance undertakingsa reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC should be subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The assessment of the abovementioned qualitative elements should aim at identifying financial entitiesas defined in Article 2, points (a) to (t) for which the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems is appropriate by using cross-sector and objective indicators. At the same time, the assessment of these elements should limit the entities subject to TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems to those for which the test is justified. These elements should also be assessed with reference to new market participants (such as crypto asset service providers referred to in Title V of Regulation (EU) 2023/1114) which might have a more important role for the financial sector in the future.