ANNEX V | Delegated Regulation 2025/1190 | judict

Updated 03/11/2025

Metadata

In force

Initial Legal Act

Amendments

Related documents

BaFin (DE) (0)

Central Bank of Ireland (IE) (0)

ESMA (0)

EIOPA (0)

EBA (0)

European Central Bank (0)

DG FISMA (0)

Search within this legal act

DORA Tool Delegated Regulation 2025/1190

ANNEX V

ANNEX V - Delegated Regulation 2025/1190

ANNEX V

Content of the red team test report (Article 12(2))

The red team test report shall contain information on at least all of the following:

(a)

information on the performed attack, including:

(i)	the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;

(ii)	summary of each scenario;

(iii)

flags reached and not reached;

(iv)	attack paths followed successfully and unsuccessfully;

(v)	tactics, techniques and procedures used successfully and unsuccessfully;

(vi)	deviations from the red team test plan, if any;

(vii)

leg-ups granted, if any;

(b)	all actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;

(c)

discovered vulnerabilities and other findings, including:

(i)	vulnerability and other finding description including their criticality;

(ii)	root cause analysis of successful attacks;

(iii)

recommendations for remediation including indication of the remediation priority.

Table of contents

Recitals Article 1 - Definitions Q&A Article 2 - Identification of financial entities required to perform TLPT Article 3 - TCT and TLPT Test Managers Article 4 - Organisational arrangements for financial entities Article 5 - Risk management for TLPT Article 6 - Risk management for pooled or joint TLPTs Article 7 - Selection of TLPT providers Article 8 - Specificities for pooled or joint TLPTs Article 9 - Preparation phase Q&A Article 10 - Testing phase: threat intelligence Article 11 - Testing phase: red team test Article 12 - Closure phase Article 13 - Remediation plan Article 14 - Attestation Article 15 - Use of internal testers Article 16 - Cooperation and mutual recognition Article 17 - Entry into force ANNEX I - Content of the project charter (Article 9(2)(a))ANNEX II - Content of the scope specification document (Article 9(6))ANNEX III - Content of the targeted threat intelligence report (Article 10(5))ANNEX IV - Content of the red team test plan (Article 11(1))ANNEX V - Content of the red team test report (Article 12(2))ANNEX VI - Content of the blue team test report (Article 12(4))ANNEX VII - Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554 ANNEX VIII - Details of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554