ANNEX II | Delegated Regulation 2025/1190 | judict

Updated 03/11/2025

Metadata

In force

Initial Legal Act

Amendments

Related documents

BaFin (DE) (0)

Central Bank of Ireland (IE) (0)

ESMA (0)

EIOPA (0)

EBA (0)

European Central Bank (0)

DG FISMA (0)

Search within this legal act

DORA Tool Delegated Regulation 2025/1190

ANNEX II

ANNEX II - Delegated Regulation 2025/1190

ANNEX II

Content of the scope specification document (Article 9(6))

1.

The scope specification document shall contain a list of all critical or important functions identified by the financial entity.

2.

For each identified critical or important function, the following information shall be included:

(a)	where the critical or important function is not included in the scope of the TLPT, the explanation of the reasons for which it is not included;

(b)

where the critical or important function is included in the scope of the TLPT:

(i)	the explanation of the reasons for its inclusion;

(ii)	the identified ICT system(s) supporting that critical or important function;

(iii)

for each identified ICT system:

1.	whether it is outsourced and if so, the name of the ICT third party service provider;

2.	the jurisdictions in which the ICT system is used;

3.	a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.

Table of contents

Recitals Article 1 - Definitions Q&A Article 2 - Identification of financial entities required to perform TLPT Article 3 - TCT and TLPT Test Managers Article 4 - Organisational arrangements for financial entities Article 5 - Risk management for TLPT Article 6 - Risk management for pooled or joint TLPTs Article 7 - Selection of TLPT providers Article 8 - Specificities for pooled or joint TLPTs Article 9 - Preparation phase Q&A Article 10 - Testing phase: threat intelligence Article 11 - Testing phase: red team test Article 12 - Closure phase Article 13 - Remediation plan Article 14 - Attestation Article 15 - Use of internal testers Article 16 - Cooperation and mutual recognition Article 17 - Entry into force ANNEX I - Content of the project charter (Article 9(2)(a))ANNEX II - Content of the scope specification document (Article 9(6))ANNEX III - Content of the targeted threat intelligence report (Article 10(5))ANNEX IV - Content of the red team test plan (Article 11(1))ANNEX V - Content of the red team test report (Article 12(2))ANNEX VI - Content of the blue team test report (Article 12(4))ANNEX VII - Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554 ANNEX VIII - Details of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554