(a)

the establishment and implementation of a policy for the management of internal testers in a TLPT;

(b)

measures to ensure that the use of internal testers to perform a TLPT does not negatively impact the financial entity’s general defensive or resilience capabilities regarding ICT-related incidents or significantly impacts the availability of resources devoted to ICT-related tasks during a TLPT;

(c)

measures to ensure that internal testers have sufficient resources and capabilities to perform a TLPT.

(a)

contain criteria to assess suitability, competence, potential conflicts of interest of the internal testers and specify management responsibilities in the testing process;

(b)

be documented and periodically reviewed;

(c)

provide that the internal testing team includes a test lead, and at least two additional members;

(d)

require that all members of the test team have been employed by the financial entity or by an ICT intra-group service provider for the preceding 12 months;

(e)

include provisions on training on how to perform penetration testing and red team testing of the internal testers.

(a)

the test initiation information referred to in Article 9;

(b)

the red team test report referred to in Article 12(2);

(c)

the report summarising the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554.