What changed and why does it matter?

Cyber threats are evolving, and financial institutions need stronger defences to keep the pace. To help facing these challenges, ECB has substantially updated the TIBER-EU framework, aligning it with the Digital Operational Resilience Act (DORA).

From January 17, 2025, financial institutions, other than microenterprises and institutions mentioned in DORA Article 16(1)*, (hereinafter “in-scope financial institutions” or “entities”) must follow new, heightened Threat-Led Penetration Testing (TLPT) rules under the new regulation on operational resilience. TIBER-EU framework, once a voluntary guide, is now the official method for meeting DORA’s legal requirements for cyber resilience testing.

Which is the big change?

TIBER-EU tests were voluntary, meaning financial institutions could choose whether to participate or not. That changes with the entering into force and application of DORA as of 17 January 2025.

Starting January 2025, the in-scope financial institutions must conduct a Threat-Led Penetration Test (TLPT) at least once every three years. This requirement ensures that these institutions regularly assess their ability to withstand real-world cyberattacks, following a standardized approach across the EU.

This means that financial institutions must now budget, plan, and prepare for regular TLPT exercises as part of their compliance obligations.

Here are the key changes in TIBER-EU 2025

Alignment with DORA

The framework is now completely aligned with DORA's TLPT requirements, enhancing the overall cyber resilience of financial institutions across the EU.

The TIBER-EU framework has updated key terms to align with DORA, ensuring consistency across different EU regulations. The “White Team” (the internal group coordinating the test) is now called the “Control Team”. This change ensures that financial institutions, regulators, and service providers all speak the same language when conducting TLPTs.

The TIBER-EU framework now provides detailed guidance on how to complete DORA threat-led penetration testing (TLPT) in a qualitative, controlled, and safe manner. This includes a uniform approach across the EU for conducting controlled cyberattacks to test and improve the cyber resilience of entities.

Stricter Rules for Selecting Service Providers.

Cyber resilience testing relies on Threat Intelligence Providers (TIPs) and Red Team Testers (RTTs) to simulate real-world attacks. Under TIBER-EU 2025, in-scope financial institutions must meet stricter requirements when selecting these service providers.

The new Service Provider Procurement Guidelines require financial institutions to:

• Choose providers with proven expertise in cyber threat intelligence and red teaming

• Ensure that testing teams have experience working with financial sector infrastructure

• Follow clear vetting and procurement standards to avoid conflicts of interest.

Not all cybersecurity firms will qualify for TIBER-EU testing. Financial institutions must be more selective when choosing Red Team and Threat Intelligence providers.

DORA allows financial institutions to use internal testers for some TLPTs, but TIBER-EU 2025 now requires firms to engage external testers at least once every three years.

In exceptional circumstances, and only after the prior approval by the TM, internal Red Team Testers may be used for a TIBER-EU test. In such cases, internal testers need to adhere to the same standards and requirements as external Red Team Members

External testers bring a fresh, unbiased perspective to penetration testing. This rule ensures that institutions do not become complacent or rely too much on internal assumptions.

Multi Party Testing / Cross-Border

Previously, financial institutions that operated in multiple countries had to conduct separate TLPTs in each jurisdiction. This was costly, time-consuming, and often repetitive.

Under TIBER-EU 2025, financial firms can now conduct joint or pooled TLPTs if they share:

• critical ICT service providers

• common infrastructure across multiple jurisdictions.

The updated framework introduces provisions for multi-party testing. This approach allows entities sharing common infrastructures or services to conduct joint tests, enhancing efficiency and comprehensiveness.

This means that institutions operating in multiple countries no longer need to duplicate testing efforts, saving time and resources while maintaining compliance.

If your institution operates in multiple EU countries, you may be able to streamline TLPT by working with regulators to conduct a single, unified test.

Purple Teaming is Now a Required Step

Traditionally, penetration tests have followed a Red Team vs. Blue Team model. The Red Team (“the attackers”) would attempt to breach the organization, while the Blue Team (“the defenders”) would work to stop them, without knowing the attack was happening.

In TIBER-EU 2025, Purple Teaming is now a mandatory phase of TLPT. This means that after a Red Team test is completed, the Red Team and the Blue Team must work together to analyse the attack and improve detection and response.

Instead of just exposing weaknesses, the financial institutions will now actively strengthen their defences by understanding how attacks unfold in real time.

Scope definition and scenarios

The framework now emphasizes Critical or Important Functions (CIFs), expanding the previous focus solely on critical functions. To maintain manageability, it’s recommended that no more than 10 CIFs are included per tested entity.

Entities are now required to develop at least three end-to-end threat scenarios, each addressing different aspects of the confidentiality, integrity, and availability (CIA) triad. Additionally, an optional “Scenario X” can be included to explore hypothetical or emerging threats.

National implementation guides

EU member states had to develop and publish full national implementation guides for TIBER-EU adoption. Now, under TIBER-EU 2025, jurisdictions may just refer to the TIBER-EU documentation as their own implementation when publishing the national implementation document, which shall include the minimum requirements. The adoption process will be faster and more consistent across EU countries, reducing delays and administrative burdens.

What this means for the in-scope entities

If your institution falls under DORA’s definition of financial institutions that shall carry out advanced testing, these changes mean you must:

1. Understand the new requirements – If your entity has not done a TLPT before, now is the time to learn what is required and how to execute it.

2. Plan for external testing – Ensure that you have the budget and strategy to engage approved external testers at least once every three years.

3. Train your internal teams for purple teaming – The new process requires collaboration between red and blue teams, so security teams must be trained accordingly.

4. Reevaluate your service providers – The new framework requires higher-quality threat intelligence and red team providers, so institutions must carefully vet their partners.

5. Engage with regulators early – If your firm operates in multiple jurisdictions, work with regulators to determine whether a pooled TLPT approach is possible.

Compliance obligations started January 17, 2025

The new TIBER-EU 2025 framework is not just about compliance - it is about making financial institutions more resilient against cyber threats.

By preparing now, financial institutions will not just meet the new requirements; they will also improve their ability to detect, respond to, and recover from cyberattacks.

Notes:

* ”small and non-interconnected investment firms, payment institutions exempted pursuant to Directive (EU) 2015/2366; institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/EC; and small institutions for occupational retirement provision.”