Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition (Text with EEA relevance)

Annex II Content of the scope specification document (Article 9(6))

LEU20251190EN110120250213EN0001.0002231231

The scope specification document shall contain a list of all critical or important functions identified by the financial entity.

For each identified critical or important function, the following information shall be included:

(a)
where the critical or important function is not included in the scope of the TLPT, the explanation of the reasons for which it is not included;
(b)
where the critical or important function is included in the scope of the TLPT:
1. (i)
  the explanation of the reasons for its inclusion;
2. (ii)
  the identified ICT system(s) supporting that critical or important function;
3. (iii)
  for each identified ICT system:
  1. 1.
    whether it is outsourced and if so, the name of the ICT third party service provider;
  2. 2.
    the jurisdictions in which the ICT system is used;
  3. 3.
    a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.