How to comply with article T.7 of TLPT RTS (EU 2025/1190)?

Question

I need to bring my Luxembourg organisation into compliance with article T.7 of TLPT RTS (EU 2025/1190) (UE 2025/1190). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapMutual recognition is not automatic. Too many Luxembourg entities, subsidiaries of European groups, assume that a TLPT conducted under BaFin, Banque de France or DNB supervision covers their LU perimeter by default. The CSSF and BCL sanction the absence of prior notification and the failure to integrate the Luxembourg scope (critical functions operated from Kahler, Esch or Luxembourg-City) into the pooled testing. Result: the test is invalid for LU jurisdiction and must be replayed, doubling cost and delaying the triennial cycle under DORA article 26.Concrete pitfalls of pooled and mutual recognition testsLU scope missing from scoping document: if critical functions operated from Luxembourg are not explicitly listed in the joint scope, the CSSF will not recognise the test, even if conducted under TIBER-EU.Incomplete white team: recognition requires a white team including a representative of the LU entity and a CSSF/BCL contact point from kick-off, in line with the TIBER-LU Implementation Document revised on 20 June 2025.Common critical ICT provider: a joint test on Equinix, eBRC, LuxConnect or a hyperscale cloud must be coordinated with the CSSF upstream, otherwise it breaches CSSF circulars 22/806 and 25/882 on ICT outsourcing.Unshared threat intelligence: the TI provider must deliver a threat dossier specific to the Luxembourg context (actors targeting the financial centre), not a copy-paste of the group dossier.Siloed remediation: findings must feed the LU ICT risk register under CSSF circular 20/750, not only the group register.Final attestation: the CSSF requires an attestation co-signed by the lead authority and the CSSF, without which the TLPT is not enforceable.How Luxgap automates this riskOur Luxgap TLPT Cross-Border Orchestrator eliminates the grey zone of mutual recognition by piloting in real time the coordination between your European lead authority, the CSSF and the BCL. The tool ingests your group scoping document, automatically maps critical functions operated from Luxembourg via your CMDB, Azure Resource Graph and AWS Organizations, and detects gaps that would invalidate CSSF recognition even before kick-off.Detects LU critical functions missing from the group scoping document by cross-referencing CMDB, Active Directory, Azure tenants and outsourcing registers under CSSF circular 22/806.Generates the CSSF/BCL notification dossier compliant with the TIBER-LU Implementation Document of 20 June 2025, including scoping, white team composition and triennial calendar under DORA article 26.Identifies critical ICT providers (eBRC, LuxConnect, hyperscalers, SWIFT) shared with other LU financial entities eligible for joint testing, and proposes optimal pooling.Synchronises the threat intelligence provider and red team provider on Luxembourg-specific requirements (financial centre, funds, depositaries).Produces a live dashboard of progress as seen by the CSSF and the lead authority, with Teams alerts in case of timeline ...

Mutual recognition and cross-border pooled testing

They trust us

Before we chat