ANNEX III | Delegated Regulation 2025/1190

Updated 01/07/2025

Metadata

Coming into force on 08/07/2025

Initial Legal Act

Amendments

ANNEX III - Delegated Regulation 2025/1190

ANNEX III

Content of the targeted threat intelligence report (Article 10(5))

The targeted threat intelligence report shall contain information on all of the following:

The overall scope of the intelligence research including at least the following:

(a)	critical or important functions in scope;

(b)	their geographical location;

(c)	official EU language in use;

(d)	relevant ICT third party services providers;

(e)	period of time over which the research is gathered.

The overall assessment of what concrete actionable intelligence can be found about the financial entity, including:

(a)	the employee usernames and passwords;

(b)	the look-alike domains which can be mistaken for official domains of the financial entity;

(c)	technical reconnaissance: vulnerable or exploitable software, systems and technologies;

(d)	information posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;

(e)	information for sale on the dark web;

(f)	any other relevant information available on the internet or public networks;

(g)	where relevant, physical targeting information, including ways of access to the premises of the financial entity.

Threat intelligence analysis considering the general threat landscape and the particular situation of the financial entity, including, at least:

(a)	the geopolitical environment;

(b)	the economic environment;

(c)	technological trends and any other trends related to the activities in the financial services sector.

Threat profiles of the malicious actors (specific individual/group or generic class) that may target the financial entity, including the systems of the financial entity that malicious actors are most likely to compromise or target, the possible motivation, intent and rationale for the potential targeting and the possible modus operandi of the attackers.

Threat scenarios: at least three end-to-end threat scenarios for the threat profiles identified in accordance with point 4 who exhibit the highest threat severity scores. The threat scenarios shall describe the end-to-end attack path and shall include, at least:

(a)	one scenario that includes but is not limited to compromised service availability;

(b)	one scenario that includes but is not limited to compromised data integrity;

(c)	one scenario that includes but is not limited to compromised information confidentiality.

6.	Where relevant, a description of the non-threat-led scenario referred to in Article 10(4).

Recitals Article 1 - Definitions Article 2 - Identification of financial entities required to perform TLPT Article 3 - TCT and TLPT Test Managers Article 4 - Organisational arrangements for financial entities Article 5 - Risk management for TLPT Article 6 - Risk management for pooled or joint TLPTs Article 7 - Selection of TLPT providers Article 8 - Specificities for pooled or joint TLPTs Article 9 - Preparation phase Article 10 - Testing phase: threat intelligence Article 11 - Testing phase: red team test Article 12 - Closure phase Article 13 - Remediation plan Article 14 - Attestation Article 15 - Use of internal testers Article 16 - Cooperation and mutual recognition Article 17 - Entry into force ANNEX I - Content of the project charter (Article 9(2)(a))ANNEX II - Content of the scope specification document (Article 9(6))ANNEX III - Content of the targeted threat intelligence report (Article 10(5))ANNEX IV - Content of the red team test plan (Article 11(1))ANNEX V - Content of the red team test report (Article 12(2))ANNEX VI - Content of the blue team test report (Article 12(4))ANNEX VII - Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554 ANNEX VIII - Details of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554

Metadata

Related documents

ANNEX III - Delegated Regulation 2025/1190

Table of contents