Article 12 | Delegated Regulation 2025/1190

Updated 01/07/2025

Metadata

Coming into force on 08/07/2025

Initial Legal Act

Amendments

Article 12 - Delegated Regulation 2025/1190

Article 12

Closure phase

1. Following the end of the active red team testing phase, the control team lead shall inform the blue team that a TLPT took place.

2. Within 4 weeks from the end of the active red team testing phase, the testers shall submit to the control team a red team test report containing the information set out in Annex V.

3. The control team shall provide the red team test report to the blue team and test managers without undue delay.

At the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.

4. Upon receipt of the red team test report, and no later than 10 weeks after the end of the active red team testing phase, the blue team shall submit to the control team a blue team test report containing the information set out in Annex VI. The control team shall provide the blue team test report to the testers and the test managers without undue delay.

At the request of the test managers, the report referred to in the first subparagraph shall not contain sensitive information.

5. No later than 10 weeks after the end of the active red team testing phase, the blue team and the testers shall replay the offensive and defensive actions performed during the TLPT. The control team shall also conduct a purple teaming exercise on topics jointly identified by the blue team and the testers, based on vulnerabilities identified during the test and, where relevant, on issues that could not be tested during the active red team testing phase.

6. After completion of the replay and purple teaming exercises, the control team, the blue team, the testers, and threat intelligence providers shall provide feedback to each other on the TLPT process. The test managers may provide feedback.

7. Once the TLPT authority has notified the control team lead that it has assessed that the blue team test report and the red team test report contain the information set out in Annexes V and VI, the financial entity shall within 8 weeks submit the report summarising the relevant findings of the TLPT to the TLPT authority, as referred to in Article 26(6) of Regulation (EU) 2022/2554, containing the elements set out in Annex VII for approval.

At the request of the TLPT authority, the report referred to in the first subparagraph shall not contain sensitive information.

Recitals Article 1 - Definitions Article 2 - Identification of financial entities required to perform TLPT Article 3 - TCT and TLPT Test Managers Article 4 - Organisational arrangements for financial entities Article 5 - Risk management for TLPT Article 6 - Risk management for pooled or joint TLPTs Article 7 - Selection of TLPT providers Article 8 - Specificities for pooled or joint TLPTs Article 9 - Preparation phase Article 10 - Testing phase: threat intelligence Article 11 - Testing phase: red team test Article 12 - Closure phase Article 13 - Remediation plan Article 14 - Attestation Article 15 - Use of internal testers Article 16 - Cooperation and mutual recognition Article 17 - Entry into force ANNEX I - Content of the project charter (Article 9(2)(a))ANNEX II - Content of the scope specification document (Article 9(6))ANNEX III - Content of the targeted threat intelligence report (Article 10(5))ANNEX IV - Content of the red team test plan (Article 11(1))ANNEX V - Content of the red team test report (Article 12(2))ANNEX VI - Content of the blue team test report (Article 12(4))ANNEX VII - Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554 ANNEX VIII - Details of the attestation of the TLPT referred to in Article 26(7) of Regulation (EU) 2022/2554

Metadata

Related documents

Article 12 - Delegated Regulation 2025/1190

Table of contents