How to comply with article T.3 of TLPT RTS (EU 2025/1190)?

Question

I need to bring my Luxembourg organisation into compliance with article T.3 of TLPT RTS (EU 2025/1190) (UE 2025/1190). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapThe CSSF, acting as TLPT authority under Article 46 of DORA, sanctions two recurring failures: selecting a red team without documented verification of individual certifications (CREST, OSCP, GIAC GXPN) and the absence of professional liability insurance covering damages on live production. More subtly, some Luxembourg banks try to save money by mobilising their internal pentest team without prior CSSF authorisation, which retroactively invalidates the test under RTS 2025/1190 and forces them to restart the full three-year cycle. The BCL, co-pilot of the TIBER-LU framework, also refuses any scenario where threat intelligence is produced internally, even by a dedicated CTI cell.Eligibility criteria the CSSF will verify line by lineNamed individual certifications for each red team member, with validity dates and renewal evidence.Five references of TLPT or red team operations on critical functions in live production, performed in the last three years, preferably in the financial sector.Professional liability insurance certificate with explicit cap covering service disruption, data loss and reputational damages.Conflict of interest declaration: the provider must not audit, advise or operate the same systems being tested.For internal testers: org chart proving hierarchical separation from the operational CISO and blue team, plus written commitment of non-reuse in the next cycle.Threat intelligence provider mandatorily external, distinct from the red team, with documented methodology aligned with TIBER-EU revised on 11 February 2025.How Luxgap automates this riskOur Luxgap TLPT Tester Vetting Engine turns due diligence on your testers into a CSSF-ready file in under 72 hours, where banks typically spend six weeks producing an incomplete dossier. The tool continuously queries CREST, OffSec and GIAC registries via official APIs, cross-references declared experience with public breach disclosure databases and HackerOne, and automatically builds the conflict of interest matrix by analysing your Odoo vendor contracts, Active Directory access and ICT third-party register maintained under CSSF circulars 22/806 and 25/882.Verifies in real time the validity of each proposed red teamer's individual certifications and alerts as soon as one expires during the test window.Automatically maps conflicts of interest by cross-referencing the candidate provider with your active ICT contracts, external auditors and cybersecurity consultants from the last five years.Generates the prior authorisation file for internal testers expected by the CSSF, with independence org chart, non-reuse commitment and blue team / red team / white team separation matrix.Controls that the threat intelligence provider is legally and capital-wise distinct from the red team, up to the parent company level.Produces a timestamped, cryptographically signed PDF, directly attachable to the TIBER-LU file revised on 20 June 2025 and reusable as evidence in ICT risk management under CSS...

Internal and external testers: conditions and independence

They trust us

Before we chat