In February 2025, the Eurosystem updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU) to align with DORA's regulatory technical standards on threat-led penetration testing (TLPT). This update provides comprehensive guidance for financial institutions planning their resilience testing programs.

What is TIBER-EU?

TIBER-EU is the European framework for Threat Intelligence-Based Ethical Red-teaming. It provides a standardized approach to testing the cyber resilience of financial institutions through controlled, intelligence-led attack simulations.

Key Components

  • Threat Intelligence: Real-world threat scenarios based on actual attacker tactics
  • Red Team Testing: Simulated attacks by skilled ethical hackers
  • Blue Team Response: Testing of detection and response capabilities
  • Purple Team Collaboration: Joint improvement of defensive measures

DORA TLPT Requirements

Under DORA, certain financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every three years. The updated TIBER-EU framework now fully aligns with these requirements.

Who Must Conduct TLPT?

TLPT is mandatory for financial entities that are:

  • Identified as significant by competent authorities
  • Operating critical functions for the financial system
  • Large banks and systemically important institutions
  • Major insurance companies
  • Central counterparties and trading venues

TLPT Frequency Requirements

Entity Type Minimum TLPT Frequency
Large, systemically important banks Every 3 years (annually recommended)
Large insurance companies Every 3 years
Central counterparties Every 3 years
Other significant entities As determined by competent authority

Key Updates in TIBER-EU 2025

Alignment with DORA RTS

The updated framework now directly maps to DORA's regulatory technical standards, including:

  • Harmonized testing methodologies
  • Standardized reporting formats
  • Clear scope definition requirements
  • Qualified tester requirements
  • Authority notification procedures

Enhanced Guidance Areas

  1. Scope determination: How to identify critical functions for testing
  2. Threat intelligence: Requirements for threat scenario development
  3. Tester qualifications: Skills and certifications for red team providers
  4. Testing execution: Phases and deliverables
  5. Remediation tracking: Following up on findings

TLPT Process Under TIBER-EU/DORA

Phase 1: Preparation (4-6 weeks)

  • Engage competent authority
  • Define scope and critical functions
  • Select qualified threat intelligence provider
  • Select qualified red team provider
  • Establish governance and communication

Phase 2: Threat Intelligence (4-6 weeks)

  • Gather intelligence on relevant threat actors
  • Develop realistic attack scenarios
  • Create targeted threat intelligence report
  • Validate scenarios with authority

Phase 3: Red Team Testing (8-12 weeks)

  • Execute controlled attack simulations
  • Test technical and human defenses
  • Document all activities and findings
  • Maintain operational security

Phase 4: Closure (2-4 weeks)

  • Blue team replay and analysis
  • Purple team collaboration
  • Final reporting to competent authority
  • Remediation planning

Qualified Tester Requirements

DORA and TIBER-EU specify requirements for TLPT providers:

Threat Intelligence Providers Must Have:

  • Demonstrated expertise in financial sector threats
  • Access to relevant threat intelligence sources
  • Experience with TIBER or similar frameworks
  • Appropriate security clearances

Red Team Providers Must Have:

  • Relevant certifications (CREST, OSCP, etc.)
  • Experience testing financial institutions
  • Professional indemnity insurance
  • Clean background checks
  • No conflicts of interest

Reporting Requirements

To Competent Authorities

Financial entities must provide:

  • Pre-test notification and scope agreement
  • Summary of threat intelligence findings
  • Red team test results and findings
  • Remediation plan and timeline
  • Follow-up progress reports

Internal Reporting

  • Board-level summary of findings
  • Technical findings for IT/Security teams
  • Remediation tracking and accountability
  • Lessons learned documentation

Common TLPT Findings

Based on industry experience, common findings include:

  • Phishing susceptibility: Staff clicking malicious links
  • Credential weaknesses: Poor password policies
  • Network segmentation gaps: Lateral movement opportunities
  • Detection blind spots: Attacks not triggering alerts
  • Response delays: Slow incident identification and escalation
  • Privilege escalation: Excessive user permissions

Preparing for Your First TLPT

6 Months Before

  1. Engage with your competent authority
  2. Begin scoping critical functions
  3. Budget for testing (typically EUR 200,000-500,000+)
  4. Identify internal stakeholders

3 Months Before

  1. Select and contract providers
  2. Finalize scope with authority
  3. Establish secure communication channels
  4. Brief minimal internal team

During Testing

  1. Maintain strict operational security
  2. Regular check-ins with providers
  3. Document any scope changes
  4. Prepare for blue team replay

TLPT vs. Regular Penetration Testing

Aspect Regular Pen Test TLPT
Scope Technical systems People, processes, technology
Duration 1-4 weeks 3-6 months
Threat basis Generic vulnerabilities Real threat intelligence
Blue team awareness Usually informed No prior knowledge
Regulatory involvement None Authority oversight
Cost EUR 20,000-100,000 EUR 200,000-500,000+

Resources

The updated TIBER-EU framework and DORA RTS on TLPT are available from the ECB and EBA websites. Our team can help you plan and execute your TLPT program - contact us for guidance.