What is TIBER-EU?
TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.
TIBER-EU frameworkHow does it work?
TIBER-EU tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies. The outcome is not a pass or fail. Instead the test is intended to reveal the strengths and weaknesses of the cyber resilience measures put in place by the tested entity, with a focus on the learning effect of the test, and to enable the entity to reach a higher level of cyber maturity.
Who is involved in a TIBER-EU test?
The main participants in a TIBER-EU test belong to one of five different teams, depending on their roles and responsibilities under the TIBER-EU framework:
blue team – the people in the entity that is the subject of the test, whose prevention, detection and response capabilities are being tested without their foreknowledge
- threat intelligence provider – the team that looks at the range of possible threats and carries out reconnaissance on the entity
- red-team testers – the team that carries out the simulated attack by attempting to compromise the critical functions of the entity, mimicking a cyber-attacker
- control team – a small team within the target entity whose members are the only ones there who know a test is happening and who lead and manage the test in collaboration with the TIBER cyber team
- TIBER cyber team – the team within the authority that is responsible for overseeing the test and making sure it meets the requirements of the TIBER-EU framework, thus enabling mutual recognition of the test by relevant authorities
The TIBER-EU Guidance for Service Provider Procurement provides more information on the process of selecting and procuring the services of adequate threat intelligence providers and red-team testers. The TIBER-EU Control Team Guidance explains how to set up the team that manages the TIBER-EU test from inside the target entity.
The TIBER-EU Purple-Teaming Guidance provides guidance on how purple-teaming is managed in the TIBER-EU testing phase or closure phase, as outlined in the TIBER-EU framework.
The TIBER-EU framework aims to harmonise and standardise the approach to threat intelligence-based ethical red-teaming across Europe. To achieve this aim, the main participants listed above should use the available templates and guidance to conduct an end-to-end test. The guidance and templates are to be used in different phases of the test – such as initiation, scoping, threat intelligence, red-team testing (planning and reporting), blue team report creation and remediation plan creation – and should be formalised via a test summary report and an attestation to facilitate mutual recognition.
Who is the TIBER-EU framework for?
The TIBER-EU framework is designed for entities that provide core financial infrastructure (including those whose cross-border activities fall within the regulatory remits of several different authorities) and national/supranational authorities. It can be used for entities in all critical sectors, not just the financial sector.
In addition to a number of mandatory requirements, the framework also includes optional requirements that can be adapted to the specificities of individual jurisdictions. The TIBER EU framework harmonises threat intelligence-based ethical red-teaming and facilitates mutual recognition, reducing the burden on entities and authorities alike.
The TIBER-EU framework can also assist competent authorities and financial entities in meeting the requirements for threat-led penetration tests under the Digital Operational Resilience Act (DORA). See this publication for further information on how adopting the TIBER-EU framework can help fulfil these DORA requirements.
Building on joint expertise and experience
TIBER-EU was developed jointly by the ECB and the EU’s national central banks, approved by the Governing Council of the ECB and published in May 2018. The framework was updated in 2024 to ensure its full alignment with the Regulatory Technical Standards on threat-led penetration testing (TLPT) of the Digital Operational Resilience Act (DORA).
The TIBER-EU framework has been adopted in Austria, Belgium, Denmark, Finland, France Germany, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Romania, Spain and Sweden, as well as being applied by the ECB. Other jurisdictions are already in the process of adopting the framework or are expected to follow suit in due course.
National TIBER-EU cyber teams conduct TIBER-EU tests with entities in their respective jurisdictions, while entities that are active in multiple jurisdictions may participate in joint tests with multiple TIBER-EU cyber teams.
Hiring threat intelligence and red-team specialists
To ensure that providers of threat intelligence and red-team services meet the appropriate standards for conducting a TIBER-EU test, the entity being tested should carry out due diligence to make sure its chosen provider meets all the requirements set out in the TIBER-EU Guidance for Service Provider Procurement.
The TIBER community can provide support
The TIBER-EU Knowledge Centre (TKC) is a forum hosted by the ECB in which national and European TIBER-EU cyber teams coordinate and discuss initiatives and share details of their experiences. This helps to ensure consistent implementation of the TIBER-EU framework in the adopting jurisdictions.
If new jurisdictions wish to adopt the TIBER-EU framework and join the TIBER community, they can send an email to TIBER-EU@ecb.europa.eu