How to comply with article T.6 of TLPT RTS (EU 2025/1190)?

Question

I need to bring my Luxembourg organisation into compliance with article T.6 of TLPT RTS (EU 2025/1190) (UE 2025/1190). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapThe CSSF does not penalise finding vulnerabilities during the TLPT, it penalises the absence of tracked remediation. The trap: produce a polished final report, obtain the attestation, then close the file. Six months later, during the annual ICT review under DORA Art. 6, the authority asks for evidence that each finding was fixed and re-tested. Without a timestamped remediation register feeding the ICT risk management framework (Circular 20/750 as amended by 25/881), the entity is in breach of DORA Art. 5 to 16, and the BCL can reclassify the TLPT as a purely formal exercise.The concrete requirements of the T.6 closure phaseSummary report signed by the red team provider and validated by the white team, with full MITRE ATT&CK mapping and attack chain.Remediation plan prioritised by criticality (CVSS plus business impact on the critical functions tested), with named owner and firm deadline for each finding.CSSF attestation issued only if the test actually covers critical functions in production, with the three teams present (red, blue, white) and threat intelligence documented.Mandatory re-test of critical and high findings before final closure, with technical evidence (screenshots, SIEM logs, ITSM tickets).Integration of findings into the DORA ICT risk register and into the continuity plan, with updated incident scenarios.Documentation retained for at least 5 years for CSSF audit and BCL inspection under TIBER-LU.Explicit inclusion of tested ICT providers in scope, consistent with outsourcing RTS 2025/532 and CSSF Circulars 22/806 and 25/882.How Luxgap automates this riskOur Luxgap TLPT Remediation Tracker turns your post-TLPT remediation plan into continuous opposable evidence, and makes it impossible to drift between the CSSF attestation and the annual DORA review. The tool ingests the red team report (MITRE ATT&CK Navigator, Cobalt Strike, Dradis formats), reconciles each finding with your ICT risk register, and drives remediation through to certified re-test without manual CISO intervention.Ingests the red team report and automatically breaks each finding into Jira, ServiceNow or Azure DevOps tickets, with owner, deadline and criticality computed from CVSS and impact on critical functions.Synchronises remediation status in real time with your SIEM (Microsoft Sentinel, Splunk, Wazuh) and EDR (Defender, CrowdStrike) to technically prove that the fix is deployed and active.Automatically triggers a targeted re-test on critical findings via integration with your red team provider or via authenticated scan, and archives the closure evidence.Feeds directly the DORA Art. 6 ICT risk register and updates the indicators of CSSF Circular 20/750, with a cryptographically sealed audit trail.Generates a CSSF-ready dashboard showing remediation rate, mean time to fix and critical-function coverage, exportable as a timestamped PDF for inspection.Alerts the white team and the CISO via Teams or Slack as soon as a critical finding misses its dea...

Closure, report and remediation: what the authority expects

They trust us

Before we chat