1. European
  2. ESA - Joint Committee - European Supervisory Authorities
  3. Consultations
  4. 2023
Date-stamp loading
  1. Consultation Paper - Draft Regulatory Technical Standards specifying elements related to threat led penetration tests (JC 2023 72)
Next
Published date: 8 December 2023

Consultation Paper - Draft Regulatory Technical Standards specifying elements related to threat led penetration tests (JC 2023 72)

Closed
4 March 2024
Comparison of Draft Technical Standards: Consultation Paper vs Final Report

The ESAs second set of technical standards under the DORA aimed at enhancing the digital operational resilience of the EU financial sector by strengthening financial entities’ ICT and third-party risk management and incident reporting frameworks.

RTS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats Consultation Final Report Comparison
ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats Consultation Final Report Comparison
RTS on the harmonization of conditions enabling the conduct of the oversight activities Consultation Final Report Comparison
RTS specifying the criteria for determining the composition of the joint examination team (JET) Consultation Final Report Comparison
RTS on threat-led penetration testing (TLPT) Consultation Final Report Comparison
Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents Consultation Final Report Comparison
Guidelines on oversight cooperation Consultation Final Report Comparison

Consultation dated 27 November 2023 and made available 8 December 2023.

Accompanying documents
Comparing proposed amendment...
1. Responding to this consultation
2. Executive Summary
3. Background and rationale
3.1 Introduction
3.2 Drafting principles: DORA and the TIBER-EU framework
3.3 Other general drafting principles
3.4 Approach on the identification of financial entities required to perform TLPT
3.5 Approach on the testing: scope, methodology, conclusion
3.6 Approach on the use of internal testers
3.7 Approach on cooperation
4. Draft Regulatory Technical Standards
Recitals
Chapter I General provisions (art. 1)
Article 1 Definitions
Chapter II Criteria to identify financial entities required to perform TLPT (art. 2)
Article 2 Identification of financial entities required to perform TLPT
Chapter III Requirements regarding test scope, testing methodology and results of TLPT (arts. 3-10)
Section I Testing methodology (arts. 3-5)
Article 3 TCT and TLPT Test Managers
Article 4 Organisational arrangements for financial entities
Article 5 Risk management for TLPT
Section II Testing Process (arts. 6-10)
Article 6 Preparation phase
Article 7 Testing phase: Threat intelligence
Article 8 Testing phase: Red Team Test
Article 9 Closure phase
Article 10 Remediation plan
Chapter IV Requirements and standards governing the use of internal testers (art. 11)
Article 11 Use of internal testers
Chapter V Cooperation and mutual recognition and final provisions (arts. 12-13)
Article 12 Cooperation
Article 13 Entry into force and application
Annex I Content of the project charter
Annex II Content of the scope specification document
Annex III Content of the targeted threat intelligence report
Annex IV Content of the red team test plan
Annex V Content of the red team test report
Annex VI Content for the blue team test report as referred to in Article 13(4)
Annex VII Details of the test summary report of the TLPT
Done at
5. Annex I: Draft impact assessment
6. Annex II: Overview of the questions for consultation
Next