EU frameworkGDPRNIS 2DORAAI ActWhistleblowing
CSSF circularsCSSF 22/806CSSF 25/883CSSF 25/880CSSF 25/881CSSF 25/882CSSF 20/750CSSF 12/552CSSF 11/504
Article T.2

The key roles: red team, blue team, white team, threat intelligence

Commission Delegated Regulation (EU) 2025/1190 on threat-led penetration testing (TLPT) under DORA · UE 2025/1190

RTS 2025/1190 structures TLPT around distinct roles, taken from the TIBER-EU framework:

  • Red team (testers): simulate the tactics, techniques and procedures (TTPs) of real advanced attackers against the entity's production systems.
  • Blue team: the entity's defence teams (SOC, IT, security), who are not informed of the test to ensure realism.
  • White team / control team: the restricted internal circle steering the test on the entity side, aware of the exercise and managing risks.
  • Threat intelligence provider: produces the threat intelligence report (credible entity-specific attack scenarios) guiding the red team.
  • TLPT authority: in Luxembourg, the CSSF, which validates the scope, oversees the exercise and recognises the test.