logo svg
logo

July 13, 2026

Updated: July 13, 2026

TIBER-EU Explained: Framework, Phases, Roles, and DORA TLPT Alignment

TIBER-EU is the ECB framework for controlled, intelligence-led red-team testing of Critical or Important Functions and the live systems that support them. This guide explains the January 2025 process, roles, evidence, safety controls and relationship with binding DORA TLPT requirements.

Mohammed Khalil

Mohammed Khalil

Featured Image

Source basis last verified 13 July 2026: ECB TIBER-EU Framework (January 2025), Regulation (EU) 2022/2554 and Commission Delegated Regulation (EU) 2025/1190.

TIBER-EU is the European Central Bank's framework for controlled, intelligence-led red-team testing of Critical or Important Functions and the live production systems supporting them. It is not EU law. The January 2025 framework is aligned with threat-led penetration testing under DORA, but for a mandatory test, DORA and Commission Delegated Regulation (EU) 2025/1190 define the binding requirements and take precedence. TIBER-EU provides the detailed operating model for conducting the exercise safely and consistently.

Key takeaways

What is TIBER-EU?

TIBER-EU means Threat Intelligence-Based Ethical Red Teaming. The ECB describes it as a common European framework for authorities, tested entities, Threat Intelligence Providers and Red Team Testers to conduct controlled, intelligence-led attacks and improve cyber resilience.

Target intelligence examines the entity's reachable environment; threat intelligence evaluates plausible actors and objectives. Together they shape bespoke scenarios. The January 2025 TIBER-EU Framework centres those scenarios on Critical or Important Functions (CIFs) and their supporting people, processes and technologies not on a generic catalogue of techniques or assets.

This is why TIBER-EU is more than:

The ECB is explicit that a TIBER-EU outcome is not simply pass or fail. Its value is the evidence it creates about protection, detection and response, followed by the learning and remediation that evidence drives.

What changed in the January 2025 framework?

The current baseline is the January 2025 TIBER-EU Framework. The ECB's February 2025 update notice identifies the main changes:

These are not cosmetic changes. An older 2018 summary may omit required closure work, use obsolete role names or present timing that no longer matches the current process. Procurement documents and rules of engagement should therefore cite the current edition and the applicable national or European implementation.

Who is TIBER-EU for and is it mandatory?

TIBER-EU was designed around core financial infrastructure, financial entities and authority-led programmes. The ECB also states that the framework can be used in other critical sectors. An organisation may therefore undertake a TIBER-style exercise voluntarily, through an authority programme or to operationalise a separate regulatory obligation.

TIBER-EU itself is not an EU regulation, directive or certification. The ECB Banking Supervision guide describes it as detailed, non-legally binding operational guidance: the “how” of a threat-led test.

DORA is different. Regulation (EU) 2022/2554, particularly Articles 26 and 27, establishes binding TLPT duties for financial entities identified by their competent authorities. Commission Delegated Regulation (EU) 2025/1190 supplies the regulatory technical standards on identification, scope, methodology, testers, closure, remediation and cooperation.

That produces a simple legal hierarchy:

DORA and the RTS define the binding requirements; TIBER-EU provides detailed operational guidance for conducting the test.

Not every DORA-regulated firm is automatically required to perform TLPT, and not every TIBER-EU test is a DORA TLPT. Applicability and implementation must be confirmed with the relevant competent or TIBER authority. For detailed legal-applicability intent, see DeepStrike's separate guide to DORA TLPT requirements.

This article is an educational framework guide, not legal advice or an official interpretation for a particular entity.

Which testing route applies?

Start with the source of the obligation. The same technical ambition can require a different governance model, evidence set and authority relationship.

TIBER-EU vs DORA TLPT vs conventional penetration testing

The three concepts overlap, but they are not interchangeable. A TIBER-EU test can provide the operating model for a DORA-mandated TLPT. A conventional penetration test can support wider resilience and vulnerability-management programmes, but does not become TIBER-EU or DORA TLPT merely because it is manual, difficult or performed on production.

Comparison pointTIBER-EU frameworkDORA TLPTConventional penetration test
Nature and legal statusNon-legally binding ECB framework with mandatory and optional framework requirementsBinding for financial entities identified under DORA and the RTSContracted assurance activity; legal or standard-driven only where another obligation requires it
Primary purposeConsistent, safe, intelligence-led testing and defensive learningAdvanced digital operational resilience testing under EU lawFind and validate exploitable technical weaknesses in an agreed scope
Trigger or governanceVoluntary or authority-led; may operationalise a regulatory testCompetent/TLPT authority identifies the entity and governs legal requirementsOrganisation, customer, auditor, standard, risk event or release programme
Typical target and scopeCIFs and supporting people, processes, technology and relevant providersSeveral or all CIFs selected and validated under the governing processNamed applications, APIs, networks, cloud environments, devices or other assets
Threat intelligenceBespoke target and threat intelligence is centralRequired under the DORA TLPT modelOptional
Live productionCentral to realism, with active risk managementBinding TLPT scope includes live production systems supporting in-scope CIFsPossible where authorised, but not inherent
People, process and technologyCovered through function-led scenariosCovered where they support the in-scope functions and scenariosOften technology-led unless explicitly broadened
Authority involvementTIBER Authority, TIBER Cyber Team and Test ManagerCompetent/TLPT authority and its TLPT Cyber Team/Test ManagerUsually none
Provider requirementsExternal TIP is mandatory; external RTT is strongly encouraged; local rules may add criteriaDORA Article 27, the RTS and authority rules govern tester eligibility and internal/external useBuyer-defined competence, independence and contractual controls
Main outputsSSD, TTIR, RTTP, team reports, replay, purple teaming, remediation plan, TSR, feedback and attestationPrescribed DORA/RTS evidence, remediation and authority attestationTechnical report, evidence, risk ratings, recommendations and often retest results
Attestation or recognitionAuthority attestation can support recognition under agreed conditionsAttestation supports the legal TLPT process and potential cross-authority recognitionNo TIBER/DORA attestation
Frequency or cadenceThree-year intervals are the framework norm, but not a universal binding cycleIdentified entities: at least every three years, subject to the competent authority's risk-based power to adjustRisk-, release-, contract- or standard-based
What completion does not proveFull DORA compliance, complete security or automatic recognition everywhereCompliance with every DORA duty, absence of vulnerabilities or future resilienceWhole-function resilience, regulatory TLPT completion or protection from breach

For general stages and standards outside this framework, use the dedicated penetration testing methodology guide.

Comparison of TIBER-EU, DORA threat-led penetration testing, and conventional penetration testing by legal status, scope, oversight, outputs and cadence.

TIBER-EU explains how to run a high-quality threat-led test; DORA and its RTS determine binding TLPT obligations for designated financial entities. Source: Regulation (EU) 2022/2554, Commission Delegated Regulation (EU) 2025/1190 and ECB TIBER-EU Framework, January 2025.

The TIBER-EU lifecycle at a glance

The framework organises the test into three official phases: Preparation, Testing and Closure. Testing is divided operationally into threat intelligence and scenarios, followed by red-team planning and active testing. Closure then converts the covert exercise into evidence, shared understanding and owned remediation.

Preparation

The process starts with written notification or agreed voluntary initiation. The entity establishes the Control Team, secure communications and initiation documents. It begins a documented risk assessment that continues throughout the test. The Scope Specification Document (SSD) identifies CIFs, dependencies and safe, verifiable “flags” or objectives. Management approves the scope; the Test Manager and authority validate it through their applicable roles. The entity also procures and onboards the TIP and RTT.

Testing: threat intelligence and scenarios

The TIP collects target and threat intelligence, creates plausible high-level scenarios and works with the RTT and Control Team to refine the selected scenarios. The final Targeted Threat Intelligence Report (TTIR), after the required review and approval, becomes the basis for the Red Team Test Plan.

Testing: red team

The RTT turns the scenarios into a controlled plan covering objectives, boundaries, escalation, evidence, risk and restoration. After approval, active testing proceeds on live production systems. Status meetings allow the Control Team and Test Manager to monitor risk without unnecessarily disclosing the exercise. Any leg-up controlled assistance to progress the test must be agreed and documented.

Closure

After active testing, the RTT and Blue Team report, reconstruct the exercise in replay and examine further learning in purple teaming. The entity completes root-cause analysis, a remediation plan, the Test Summary Report (TSR) and 360-degree feedback. Authority attestation concludes the test.

PhaseKey activitiesMain participantsCore outputsOfficial timing labelKey risk or decision
PreparationNotify, initiate, form CT, assess risk, scope CIFs, procure providersEntity, management body, CT/CTL, TM/TCT; TIP/RTT when onboardedInitiation documents, SSD, risk assessment, contractsMaximum: no longer than six months from written notification; initiation documents due within three monthsCorrect function-led scope, secrecy, provider eligibility and production safety
Testing: threat intelligenceTarget/threat intelligence, scenario creation and selectionTIP, CT/CTL, TM, RTTScenario shortlist and final TTIRIndicative: four to six weeksPlausibility, current intelligence and coverage of in-scope CIFs
Testing: red teamRTTP, active testing, governance, logging and risk decisionsRTT, CT/CTL, TM, TIP as neededApproved RTTP, action logs, flags and evidenceIndicative: RTTP creation two to three weeks. Minimum: active testing 12 weeksSafe progression, deviations, leg-ups, detection and stop decisions
ClosureTeam reports, replay, purple teaming, feedback, remediation, TSR and attestationCT/CTL, RTT, BT, TIP, TM/TCT, management body, authorityRTTR, BTTR, replay/PT outputs, remediation plan, TSR, feedback, attestationDeadlines: RTTR within four weeks; BTTR, replay and PT within ten weeks after active testing; TSR and remediation plan within eight weeks after TM assessment notification. TM assessment time means closure may exceed 18 weeks.Sensitive evidence handling, root causes, action ownership and attestation eligibility

These values have different meanings maximum, minimum, indicative and deadline-based. They should not be added into a single promised duration. Entity readiness, provider procurement, authority review, cross-border coordination and the Test Manager's assessment can materially affect the calendar. See the January 2025 framework for the authoritative labels and sequence.

TIBER-EU lifecycle showing preparation, threat intelligence, red-team planning and testing, closure, remediation and attestation with official timing labels.

TIBER-EU links function-led scoping and threat intelligence to controlled testing, defensive learning, remediation and authority attestation. Source: ECB TIBER-EU Framework, January 2025, and its supporting guidance.

Who does what in a TIBER-EU test?

The role model separates accountability, oversight, intelligence, active testing and defence. That separation preserves test integrity and makes risk decisions traceable.

StakeholderPrimary responsibilityKey decisions or inputsInformation boundaryMain outputs or approvals
Tested entity and management bodyOwn the end-to-end test, risk and remediationResources, approved scope, risk acceptance and remediation ownershipManagement receives what is needed without widening covert knowledge unnecessarilyScope approval, remediation ownership and governance evidence
Control Team (CT)Manage the test inside the entityScope, risk controls, providers, escalation, deconfliction and evidence flowSmall need-to-know group; monitors Blue Team and third-party detectionsInitiation documents, SSD, risk records, TSR and remediation plan
Control Team Lead (CTL)Lead the CT and coordinate the exerciseFinalise scope and scenarios; coordinate TIP, RTT, TM and authorityPrimary operational contact with access to senior escalationCoordinated approvals, meetings and risk decisions
Blue Team (BT)Protect, detect and respond in normal operationsDefensive decisions during the covert test; later maps detections and responseNormally unaware until detection, controlled disclosure or closureBlue Team Test Report, replay and purple-team input
TIBER/TLPT AuthorityAdopt or apply the framework and provide formal authority oversightAttestation eligibility, required evidence and national/European conditionsReceives material specified by the framework, law and implementationApproval where required and signed attestation
TIBER/TLPT Cyber Team (TCT)Operate the authority's testing programmeQuality, consistency, cooperation and authority coordinationHolds only the sensitive information needed for its functionProgramme oversight and assigned Test Manager
Test Manager (TM) and alternateGuide and review the individual testValidate or review scope, risk, providers, scenarios, plans, reports and deviationsDirect, secure contact with CTL and providers when requiredValidations, approvals, assessment and recommendation for attestation
Threat Intelligence Provider (TIP)Produce target and threat intelligenceRelevant actors, objectives, exposed surfaces and scenario updatesSeparate from Blue Team; works closely but independently with RTTTTIR, scenario input and intelligence updates
Red Team Testers (RTT)Plan and execute the controlled scenariosRTTP, paths, flags, deviations, leg-ups, restoration and evidenceCovert from BT; accountable to CTL/TM governanceRTTP, logs, Red Team Test Report, replay and purple-team input
Relevant ICT or critical third partySupport or participate where its services underpin scopePermissions, risk controls, deconfliction and service-owner constraintsAccess and knowledge limited by contract, law and operational needAgreed test support, evidence and remediation input

External providers do not transfer accountability away from the entity. The framework states that the tested entity remains responsible for end-to-end conduct and the risks created by the exercise.

TIBER-EU stakeholder map showing authority oversight, the tested entity and Control Team, Threat Intelligence Provider, Red Team Testers, Blue Team and relevant third parties.

A TIBER-EU test separates governance, threat intelligence, active testing and defence while maintaining controlled communication through the Control Team and Test Manager. Source: ECB TIBER-EU Framework and Control Team guidance, 2025.

How scope is defined

A weak scope is a list of IP addresses and applications. A TIBER-EU scope starts with the function whose disruption, defective performance or failure would materially affect the entity's financial performance, service continuity or legal obligations. The entity then maps what enables that function.

The SSD records:

The management body approves the scope and the TIBER/TLPT authority validates it through the applicable process. The threat-intelligence phase may revalidate assumptions as plausible actors and scenarios become clearer.

Hypothetical example: payment processing

Suppose a financial entity selects real-time payment processing as a CIF. Its dependency map might include customer and workforce identity, privileged administration, payment APIs, fraud decisioning, message queues, cloud platforms, network paths, cryptographic services, employee processes, monitoring and an external communications provider.

The approved flags might focus on whether a simulated actor could achieve a defined, safely observable effect against the payment function. The test could use a wider system as an entry or pivot point, but the objective remains tied to the function. This is only an example; each entity's business-impact analysis, architecture, threat profile and authority instructions determine its actual scope.

Third-party infrastructure cannot be assumed testable. It requires owner consent, contract rights, legal and privacy review, safe boundaries, coordination and restoration arrangements. Multi-party or pooled testing may suit a shared service, but does not remove each entity's risk responsibilities.

Threat intelligence and scenario design

TIBER-EU uses several related intelligence products:

The TIP creates a broad scenario set, then works with the CT, TM and RTT through selection and refinement. The RTT translates approved scenarios into the Red Team Test Plan, including objectives, paths, controls and evidence expectations.

A credible scenario connects actor, objective and function. It should not be chosen because a technique is fashionable or because a provider wants to demonstrate a particular tool. It should explain why that actor would pursue that objective, how the route relates to the entity's environment and what defensive capability the exercise is intended to evaluate.

Testing live production systems safely

Production realism is central because security controls, identity relationships, monitoring, employee behaviour and service dependencies often differ from a laboratory. Testing the real environment provides stronger evidence about how the entity protects, detects and responds.

It also creates real risk. The ECB framework identifies potential outage, system damage, data loss, modification or disclosure. A covert test can also collide with genuine incident response or a third party's protective action.

Core safeguards therefore include:

The Control Team watches business risk and can obtain information about detections without coaching the Blue Team. The Test Manager must be involved when material deviations or attestation risks emerge. Safety controls reduce risk; they do not make live-production testing risk-free.

Reporting, replay, purple teaming and remediation

Active testing is the evidence-generating middle of the exercise, not its endpoint.

The Red Team Test Report (RTTR) records the scenarios, paths attempted, flags reached or missed, deviations, leg-ups, findings, root causes and remediation recommendations. The Blue Team Test Report (BTTR) maps defensive observations, detections and response actions against the red-team timeline and identifies lessons and topics for purple teaming.

During replay, both teams reconstruct what happened step by step. This reconciles timestamps and evidence, shows where actions were visible or missed, and gives defenders the context behind the red-team record.

During purple teaming, the RTT and BT explore remaining or additional learning objectives together. They may validate how alternative defensive or testing actions would have changed the outcome, within approved safety boundaries. The January 2025 update makes purple teaming mandatory under TIBER-EU.

The remediation plan must go beyond a list of patches. It should connect each shortcoming to its root cause, priority, action, accountable owner, expected completion and the risk of delay. Findings may reveal weaknesses in governance, identity design, monitoring, response, operational processes or third-party dependencies not only software defects.

The Test Summary Report consolidates the validated scope, participants, scenarios, paths, flags, detection outcomes, risk measures, findings, root causes and high-level remediation. The 360-degree feedback process examines how the entity, TM, TIP, RTT and BT worked together so that the next exercise can be better governed and executed.

Attestation and mutual recognition

Once the TIBER Authority has approved the TSR and remediation plan, it issues and signs the attestation. For a TIBER test conducted to meet DORA, the relevant TLPT Authority is treated as the TIBER Authority for that exercise.

The attestation confirms that the test was conducted in accordance with the relevant core framework requirements and applicable implementation. It records items such as dates, in-scope CIFs, untested in-scope functions, participating entities or providers, tester arrangements, active-testing duration and the documents examined.

It does not certify that:

The framework is designed to facilitate recognition and reduce duplicated testing. Recognition still depends on compliance with the required framework and legal conditions, the involvement or agreement of relevant authorities, the applicable national or European implementation and permitted sharing. Depending on those conditions, the entity or authority may share the TSR, remediation plan and attestation. Detailed technical reports remain highly sensitive and are not automatically distributed.

Selecting TIP and RTT providers

Provider selection should begin with the governing authority and legal entity, not a marketing badge. The ECB's Guidance for Service Provider Procurement supplies baseline criteria, while DORA, the RTS and national or European implementations may add binding requirements.

Procurement teams should verify:

The procurement guidance asks buyers to evaluate appropriate recognised certifications and, where relevant, accreditation. It does not make one named scheme universally mandatory for every TIBER-EU or DORA TLPT engagement. Obtain the Test Manager's input before contracting where the framework or authority requires it.

TIBER-EU readiness checklist

This checklist is a preparation aid, not a substitute for the current framework, the RTS, authority instructions, legal advice or a formal project plan.

1. Authority and applicability

2. Governance and Control Team readiness

3. Function-led scope and dependency mapping

4. Procurement and provider due diligence

5. Legal, privacy, confidentiality and third-party permissions

6. Production risk and escalation

7. Threat intelligence and scenario governance

8. Reporting, learning and evidence ownership

Common mistakes and misconceptions

FAQs

What does TIBER-EU stand for?

TIBER-EU stands for Threat Intelligence-Based Ethical Red Teaming. It is the ECB's European framework for controlled, bespoke, intelligence-led red-team testing.

Is TIBER-EU mandatory?

Not universally. TIBER-EU is a non-legally binding framework that may be used voluntarily or through an authority programme. DORA TLPT is mandatory only for financial entities identified under the applicable DORA and RTS process.

What is the difference between TIBER-EU and DORA TLPT?

DORA and the RTS are binding EU law for designated entities and state what the TLPT must achieve. TIBER-EU provides detailed operational guidance for how authorities, entities, TIPs and RTTs can conduct that test safely and consistently.

How often must a TIBER-EU or DORA TLPT test be performed?

TIBER-EU notes three-year intervals as the norm, but this is not a universal binding cycle. Under DORA, identified entities perform TLPT at least every three years, while the competent authority may adjust frequency based on risk profile and operational circumstances. Confirm the current direction for the entity.

Does testing happen on live production systems?

Yes. Live production is central to TIBER-EU realism and is required for the relevant DORA TLPT scope. Testing must be authorised and supported by active risk management, secure communications, escalation, deconfliction, restoration and stop controls.

How long does a TIBER-EU test take?

There is no safe fixed total. The framework uses different labels: Preparation lasts no longer than six months; threat intelligence is indicated at four to six weeks; RTTP creation at two to three weeks; active testing has a 12-week minimum; and Closure contains several separate deadlines plus an open-ended Test Manager assessment period.

What are the three TIBER-EU phases?

Preparation, Testing and Closure. Testing includes threat intelligence/scenario work and red-team testing. Closure includes reports, replay, purple teaming, remediation, the TSR, feedback and attestation.

What does a TIBER-EU attestation prove?

It confirms that the authority considers the test to have been conducted according to the relevant TIBER core requirements and implementation. It is not a security certificate, audit opinion, guarantee of mutual recognition or proof of full DORA compliance.

Can TIBER-EU be used outside the financial sector?

Yes. Although designed around core financial infrastructure and authority-led financial programmes, the ECB states that it can be used in other critical sectors. Governance and authority arrangements still need to fit the sector and jurisdiction.

Conclusion

TIBER-EU is a controlled, authority-aware operating framework for intelligence-led testing of important functions in live environments. Its strength is not simply a long red-team campaign. It is the connection between function-led scope, current threat intelligence, production risk management, covert defensive evidence, replay, purple teaming, root-cause remediation and formal authority oversight.

For designated financial entities, DORA and Commission Delegated Regulation (EU) 2025/1190 determine the binding TLPT requirements. TIBER-EU helps operationalise them, but cannot replace the governing law, the relevant authority's instructions or jurisdiction-specific provider checks.

Organisations exploring broader authorised adversary simulation can review DeepStrike's authorised red teaming services. Readers seeking formal TIBER-EU or DORA TLPT delivery should independently verify the provider's current eligibility and the relevant authority's requirements for their entity and jurisdiction.

About the author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike. He writes about penetration testing, red teaming and operational resilience. This guide was developed from primary ECB and EU sources and does not replace legal advice or instructions from the relevant authority.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us