1.   Following the approval of the scope specification document by the TLPT authority, the threat intelligence provider shall analyse generic and sector-specific threat intelligence relevant for the financial entity. Where a generic threat landscape has been provided by the TLPT authority for the financial sector of a Member State, the threat intelligence provider may use that landscape as a baseline for the national threat landscape. The threat intelligence provider shall identify cyber threats and existing or potential vulnerabilities concerning the financial entity. Furthermore, the threat intelligence provider shall gather information on, and analyse concrete, actionable, and contextualised target and threat intelligence concerning the financial entity, including through consulting the control team and the test managers.

2.   The threat intelligence provider shall present the relevant threats and targeted threat intelligence, and propose requisite scenarios to the control team, testers and test managers. The proposed scenarios shall differ with reference to the identified threat actors and associated tactics, techniques and procedures and shall target each critical or important function in the scope of the TLPT.

3.   The control team lead shall select at least three scenarios to conduct the TLPT on the basis of all of the following elements:

4.   No more than one of the selected scenarios may be non-threat-led and may be based on a forward-looking and potentially fictive threat with high predictive, anticipative, opportunistic, or prospective value given the anticipated developments of the threat landscape concerning the financial entity.

For pooled TLPTs, without prejudice to the scenarios targeting directly the critical or important functions of the financial entities involved in the testing, at least one scenario shall include the ICT third-party services provider’s relevant underlying ICT systems, processes, and technologies supporting the critical or important functions of the financial entities in scope.

Where the test is a joint TLPT involving an ICT intra-group service provider, without prejudice to the scenarios targeting directly the critical or important functions of the financial entities involved in the test, at least one scenario shall include the ICT intragroup services provider’s relevant underlying ICT systems, processes and technologies supporting the critical or important functions of the financial entities in scope.

5.   The threat intelligence provider shall provide the targeted threat intelligence report to the control team, including the scenarios selected in accordance with paragraphs 3 and 4. The threat intelligence report shall contain the information set out in Annex III.

6.   The control team shall submit the targeted threat intelligence report to the test manager for approval. Where the targeted threat intelligence report is complete and ensures the performance of an effective TLPT, the TLPT authority shall approve the targeted threat intelligence report and inform the control team lead thereof.