TIBER-EU Framework updated to align with DORA

11 February 2025

The Eurosystem has updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework), to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT). The TIBER-EU framework provides comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. It also sets out detailed guidance on how to complete DORA TLPT in a qualitative, controlled and safe manner, applying a uniform approach across the EU. The Eurosystem encourages authorities to adopt and implement the TIBER-EU framework, which now includes the required deliverables and steps to conduct threat intelligence-based red-team testing at designated financial entities in line with DORA requirements.

Several updates were introduced in the framework to incorporate regulatory requirements and align with other measures set out in DORA. The updates include:

• aligning the process steps with the deliverables derived from the DORA RTS on TLPT. DORA RTS have introduced strict timelines for completing the deliverables, which have now been incorporated in the TIBER-EU framework;
• specifying purple-teaming as mandatory under TIBER-EU, as prescribed in the DORA RTS;
• introducing terminological changes to ensure consistency with DORA terminology, such as changing the name “White Team” to “Control Team”;
• establishing TIBER-EU guidance documents to facilitate the implementation of different parts of the framework and to ensure a secure and controlled TLPT execution. Each document accompanying the main framework document includes requirements for complying with the TLPT under DORA, clearly delineating what needs to be done under each step of the process. In addition, these accompanying documents also include operational TIBER-EU guidance based on best practices and experience derived from numerous previous TIBER-tests;
• providing advice on how to assess the quality of a provider in the updated Guidance for Service Provider Procurement;
• moving away from the requirement for authorities that want to implement TIBER-EU to publish a full national implementation guide; authorities can instead refer to the adoption of the TIBER-EU documentation and publish a short implementation document described in the framework.

The TIBER-EU framework provides comprehensive guidance on how authorities, entities, threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. The updated framework and the corresponding guidance documents are available on this webpage, where you can also find out more about the framework itself. A short ECB paper published in September 2024 also outlines how the TIBER-EU framework can help competent authorities and financial entities fulfil DORA TLPT requirements.