How to comply with article T.5 of TLPT RTS (EU 2025/1190)?

Question

I need to bring my Luxembourg organisation into compliance with article T.5 of TLPT RTS (EU 2025/1190) (UE 2025/1190). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapA TLPT is not an annual pentest you order from a vendor while ignoring the authority. The CSSF and the BCL, under the TIBER-LU framework, sanction two major drifts: phase slicing (entities launching red teaming before formal scope validation by the authority) and rushed closure (summary report submitted without a dated remediation plan, without white team lead validation, without final attestation). Without formal test recognition by the competent authority, the TLPT is legally non-existent under DORA Article 26, and the three-year cycle restarts from scratch.Minimum deliverables per phase that the CSSF checksPreparation: scoping document signed by the control team, identification of critical functions in real production, exercise risk register (continuity, client data, ICT providers in scope per CSSF circulars 22/806 and 25/882), dedicated crisis management plan.Threat intelligence: Targeted Threat Intelligence Report produced by an independent TI provider, with TTP scenarios mapped to MITRE ATT&CK, flags defined with the white team, and formal validation before switching to red teaming.Red teaming: approved Red Team Test Plan, timestamped execution log, technical evidence preservation, documented leg-up procedures if a scenario is blocked, effective duration of 10 to 12 weeks minimum.Closure: Red Team Test Report, Blue Team Report, documented Replay Workshop, Remediation Plan with owners and deadlines, Test Summary Report and joint entity / authority Attestation.Remediation loop: integration into the ICT risk management framework per CSSF circular 20/750, tracking of corrective actions through closure.How Luxgap automates this riskOur Luxgap TLPT Orchestrator turns a 10-month TLPT into a phase-by-phase, deliverable-by-deliverable production chain that is traceable and opposable to the CSSF and the BCL. The tool orchestrates the white team, red team, threat intelligence provider and control team in a shared encrypted workspace, with cryptographic timestamping of every artefact (RFC 3161) to guarantee the forensic integrity of the recognition file.Automatically generates deliverable templates compliant with RTS 2025/1190 and the TIBER-EU methodology revised on 11 February 2025 (scoping document, TTIR, RTTP, RT report, BT report, summary report, attestation).Verifies in real time that each phase has received formal authority validation before the next phase can start, technically blocking any premature red teaming kickoff.Connects the test scope to the ICT third-party register under RTS 2025/532 and CSSF circulars 22/806 and 25/882, materialising the inclusion of critical subcontractors in scope.Tracks flags, leg-ups and the red team technical evidence chain with timestamped sealing, opposable in case of scenario contestation.Automatically feeds the ICT risk register (CSSF circular 20/750) with Remediation Plan findings, through to effective closure of each corrective action.Produces the Test Summary Report and the pre-formatted...

TLPT phases: preparation, threat intelligence, red teaming, closure

They trust us

Before we chat