Implementing DORA cyber resilience for banks with TIBER-EU framework

Under the Digital Operational Resilience Act (DORA), identified financial entities must conduct advanced operational resilience testing via threat-led penetration testing (TLPT) at least every three years.

The European Central Bank (ECB) acts as the competent authority for significant institutions (SIs) under DORA, responsible for operationalizing TLPT.

To assist SIs in meeting these requirements, the ECB has adopted the TIBER-EU framework.

This framework, first published by the ECB in May 2018 and updated in January 2025, harmonizes red team testing practices across the EU, ensuring high quality and enabling multi-jurisdictional testing.

DORA and its accompanying Regulatory Technical Standards (RTS) on TLPT, issued in June 2025, set out the legal 'what', while TIBER-EU provides the detailed, non-legally binding 'how' for conducting these crucial cyber resilience tests.

This guide details the ECB's specific adoption and implementation of the TIBER-EU framework for mandatory DORA TLPT within the Single Supervisory Mechanism (SSM).

The ECB, acting as the TLPT authority, identifies significant institutions (SIs) subject to testing based on systemic importance, business impact, and ICT risk profile.

It also establishes an SSM TLPT cyber team (TCT-SSM) responsible for related activities, potentially utilizing national TCTs for monitoring.

Identified SIs must appoint a single point of contact (SPOC) with sufficient authority and IT knowledge to ensure test secrecy and coordination.

Key stakeholders in a DORA TLPT include the ECB, TCT, SI management, Control Team, Threat Intelligence Provider, and Red Team Testers, all working to enhance cyber maturity.