ECB publishes TIBER-EU SSM implementation guide under DORA

The European Central Bank (ECB) has published its guide on implementing the Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework for mandatory threat-led penetration testing (TLPT) of significant institutions under the Digital Operational Resilience Act (DORA). Under Articles 26 and 27 of DORA, significant institutions must conduct advanced operational resilience testing by means of TLPT at least every three years. To assist significant institutions in fulfilling the DORA TLPT requirements, the ECB has decided to adopt the TIBER-EU framework. The guide sets out: the ECB's role in identifying significant institutions subject to TLPT requirements; the testing process (preparation, execution and closure); key stakeholder responsibilities, including the use of external threat intelligence providers and red team testers; and general considerations for TLPT, including test management, secrecy and risk management. The ECB clarifies that while the TIBER-EU implementation guide provides detailed operational steps, only DORA and its accompanying regulatory technical standards on TLPT remain legally binding.

Return to main website.