The communication between the TPP and the Bank (Sandbox or Berlin Group APIs) is always secured by using a TLS-connection Mutual authentication using TLS version 1.2 which is initiated by the TPP.
The TLS-connection has to be established always including client (i.e. TPP) authentication.
For this authentication the TPP has to use a qualified certificate for website authentication (QWAC) which has to be issued by a qualified trust service provider according to the eIDAS regulation.
The content of the certificate has to be compliant with the requirements of the EBA-RTS and follow the ETSI TS 119 495 V1.2.1 (2018-11) technical specification.
During the first connection setup, the TPP will be automatically onboarded and registered (enrolled) in the bank database. However, for security purpose, the bank requires the client certificate to be presented within each request.
Following the EBA clarification 07/06/2019, it's now possible to test the Sandbox using a test certificate. The only restriction is that the certificate used to establish the SSL MA must follow the QWAC format for PSD2, according to ETSI TS 119 495 V1.2.1 (2018-11)
For the Berlin Group APIs, the QWAC certificate has to be issued from a production CA.