# Art. 26 — Advanced testing (TLPT) 1. Financial entities, other than entities referred to in [Article 16(1)](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-16-simplified-ict-risk-management-framework.md), first subparagraph, and other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency. 2. Each threat-led penetration test shall cover several or all [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) of a financial entity, and shall be performed on live production systems supporting such functions. Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) and [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services), including those supporting the [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) which have been outsourced or contracted to [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider). Financial entities shall assess which [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) need to be covered by the TLPT. The result of this assessment shall determine the precise scope of TLPT and shall be validated by the competent authorities. 3. Where [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) in the TLPT and shall retain at all times full responsibility for ensuring compliance with this Regulation. 4. Without prejudice to paragraph 2, first and second subparagraphs, where the participation of an [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) in the TLPT, referred to in paragraph 3, is reasonably expected to have an adverse impact on the quality or security of services delivered by the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) to customers that are entities falling outside the scope of this Regulation, or on the confidentiality of the data related to such services, the financial entity and the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) may agree in writing that the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) directly enters into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT involving several financial entities (pooled testing) to which the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) provides [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services). That pooled testing shall cover the relevant range of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) contracted to the respective [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) by the financial entities. The pooled testing shall be considered TLPT carried out by the financial entities participating in the pooled testing. The number of financial entities participating in the pooled testing shall be duly calibrated taking into account the complexity and types of services involved. 5. Financial entities shall, with the cooperation of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) and other parties involved, including the testers but excluding the competent authorities, apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function), services or operations at the financial entity itself, its counterparts or to the financial sector. 6. At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the authority, designated in accordance with paragraph 9 or 10, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements. 7. Authorities shall provide financial entities with an attestation confirming that the test was performed in accordance with the requirements as evidenced in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities. The financial entity shall notify the relevant competent authority of the attestation, the summary of the relevant findings and the remediation plans. Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impact of the tests referred to in paragraph 4. 8. Financial entities shall contract testers for the purposes of undertaking TLPT in accordance with [Article 27](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-27-requirements-for-testers.md). When financial entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests. [Credit institutions](https://www.mica.wtf/definitions/definitions/dora/credit-institution) that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with [Article 27(1)](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-27-requirements-for-testers.md), points (a) to (e). Competent authorities shall identify financial entities that are required to perform TLPT taking into account the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md), based on an assessment of the following: 1. impact-related factors, in particular the extent to which the services provided and activities undertaken by the financial entity impact the financial sector; 2. possible financial stability concerns, including the systemic character of the financial entity at Union or national level, as applicable; 3. specific [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) profile, level of ICT maturity of the financial entity or technology features involved. 9. Member States may designate a single [public authority](https://www.mica.wtf/definitions/definitions/dora/public-authority) in the financial sector to be responsible for TLPT-related matters in the financial sector at national level and shall entrust it with all competences and tasks to that effect. 10. In the absence of a designation in accordance with paragraph 9 of this Article, and without prejudice to the power to identify the financial entities that are required to perform TLPT, a competent authority may delegate the exercise of some or all of the tasks referred to in this Article and [Article 27](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-27-requirements-for-testers.md) to another national authority in the financial sector. 11. The ESAs shall, in agreement with the ECB, develop joint draft regulatory technical standards in accordance with the TIBER-EU framework in order to specify further: 1. the criteria used for the purpose of the application of paragraph 8, second subparagraph; 2. the requirements and standards governing the use of internal testers; 3. the requirements in relation to: 1. the scope of TLPT referred to in paragraph 2; 2. the testing methodology and approach to be followed for each specific phase of the testing process; 3. the results, closure and remediation stages of the testing; 4. the type of supervisory and other relevant cooperation which are needed for the implementation of TLPT, and for the facilitation of mutual recognition of that testing, in the context of financial entities that operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets. When developing those draft regulatory technical standards, the ESAs shall give due consideration to any specific feature arising from the distinct nature of activities across different financial services sectors. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-26-advanced-testing-tlpt.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.