How to comply with article T.8 of TLPT RTS (EU 2025/1190)?

Question

I need to bring my Luxembourg organisation into compliance with article T.8 of TLPT RTS (EU 2025/1190) (UE 2025/1190). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapThe fatal trap in Luxembourg: confusing a classic pentest with a TIBER-LU TLPT. Many Luxembourg financial entities believe that an annual penetration test from their usual provider covers Article 26 of DORA. It does not. The CSSF, TLPT authority within the meaning of Article 46 of DORA, sanctions entities that launch a TIBER-LU without prior notification to tiber@cssf.lu, that select a Threat Intelligence or Red Team Provider non-compliant with the outsourcing RTS 2025/532, or that fail to respect the official sequencing of the TIBER-LU Implementation Document of 20 June 2025. The BCL co-supervises and can refuse to deliver the final attestation.The 6 Luxembourg-specific TIBER-LU trapsBelieving TIBER-LU is optional: for an entity identified by the CSSF under RTS 2025/1190 criteria, the test is mandatory every 3 years, not a voluntary exercise.Underestimating the internal White Team: only 3 to 5 executives know about the test. A leak to the SOC or CISO invalidates the entire scenario and forces a restart.Choosing a non-eligible Red Team Provider: the provider must meet revised TIBER-EU criteria (independence, certifications, insurance), and its contract must comply with CSSF circulars 22/806 and 25/882 on ICT outsourcing.Defining a too-narrow scope: TLPT targets critical or important functions in live production, not a test environment. Many try to restrict, the CSSF rejects the scope.Neglecting the remediation phase: the final report must feed the ICT risk register under CSSF circular 20/750. A TIBER-LU without a tracked remediation plan is an invalid TIBER-LU.Forgetting critical third-party ICT providers: if your core banking is outsourced to eBRC, LuxConnect or a sovereign cloud, they fall in scope and their contracts must authorise the test (extended audit clause).How Luxgap automates this riskOur Luxgap TIBER Orchestrator turns the TIBER-LU fog into a piloted, milestoned project opposable to the CSSF. The tool drives the full 9 to 12 month cycle by orchestrating the confidential White Team, validating eligibility of Threat Intelligence and Red Team providers against TIBER-EU 2025 criteria, and generating each deliverable expected by tiber@cssf.lu in the exact format of the TIBER-LU Implementation Document of 20 June 2025.Automatically assesses your TLPT eligibility against RTS 2025/1190 criteria (size, critical functions, interconnection) and produces a defensible self-positioning memo for the CSSF.Hosts the White Team in an encrypted siloed workspace with timestamped audit trail, without contaminating the business IT and without visibility for the targeted SOC or CISO.Verifies in real time the contractual compliance of your Red Team and Threat Intelligence providers against CSSF circulars 22/806, 25/882 and RTS 2025/532 (certifications, independence, insurance, cascading sub-outsourcing).Generates the official TIBER-LU cycle deliverables: Scope Specification Document, Threat Intelligence Report, Red Team Test Plan, Red Tea...

TIBER-LU and the CSSF role: the Luxembourg implementation

They trust us

Before we chat