TIBER-EU: What it is, who needs it, and why it’s nothing like a standard pentest
So, what is the TIBER-EU framework?
TIBER-EU the (European framework for Threat Intelligence-Based Ethical Red Teaming) was developed by the European Central Bank and published in 2018. It provides a standardised methodology for conducting intelligence-led red team exercises against the critical live production systems of financial entities.
The framework sits within a broader European financial resilience agenda alongside DORA (Digital Operational Resilience Act), with which it now has direct legislative linkage. TIBER-EU is implemented nationally through country-specific variants: TIBER-NL (Netherlands), TIBER-BE (Belgium), TIBER-DK (Denmark), TIBER-IE (Ireland), TIBER-SE (Sweden), TIBER-FI (Finland), and others. Each national variant adapts the core framework to local supervisory structures, but the methodology itself the phasing, the role separation, the intelligence requirements all remains remains consistent.
You can read more about the framework from the official documentation here.
Key distinction TIBER-EU is not a compliance standard. It is a testing framework. Passing a TIBER-EU engagement does not mean you are compliant with anything. It means your critical functions were tested against realistic, intelligence-led threats under controlled conditions.
Who is it mandatory for?
Mandatory applicability is determined at a national level, not by the ECB framework itself. In most implementing jurisdictions, TIBER-EU is mandatory for the following;
- Tier 1 financial entities – systemically important institutions: central banks, major credit institutions, central counterparties, payment system operators, and other entities deemed critical to financial stability
- DORA-obligated entities under Article 26 — Advanced ICT risk testing, which references TIBER-EU or equivalent threat-led penetration testing (TLPT) as the acceptable methodology for testing critical ICT systems every three years
- Voluntary participants — Tier 2 and Tier 3 financial institutions can elect to conduct TIBER-EU engagements voluntarily, often driven by regulatory expectation or reputational positioning
The DORA linkage is significant. DORA Article 26 effectively mandates TLPT for in-scope entities, and TIBER-EU is the ECB’s recognised framework for satisfying that requirement. For any financial entity subject to DORA, understanding TIBER-EU is no longer optional.
How does TIBER-EU testing differ from standard penetration testing?
This is where most people get confused. A TIBER-EU engagement looks very similar to a red team exercise, there are attackers, there are targets, there is a scope. But in reality that is where the similarity ends.
Standard penetration test mostly consists of;
- Scope defined by the client
- Intelligence gathered ad hoc or not at all
- Rules of engagement are broad
- Testing against test/staging environments common
- Single team executes everything
- Report delivered to who ordered it
- Duration: days to weeks
- Repeatable without regulatory oversight
TIBER-EU engagement on the other hand consists of;
- Scope defined by a Threat Intelligence Report
- Dedicated Threat Intelligence Provider (TISP)
- Separate Red Team Provider (RTSP)
- Live production systems only
- Oversight authority (national competent authority) involved
- Blue team (SOC) is unaware — genuine surprise
- Duration: 3–6+ months end-to-end
- Structured debrief with remediation tracking
The intelligence-led distinction
In a standard red team, threat scenarios are typically built from the assessor’s experience, known TTPs, and whatever the client says they’re worried about. In TIBER-EU, the threat scenarios are constructed from a formal Threat Intelligence Reports, produced by a separate, accredited TISP A specialist Cyber Threat Intelligence Service Provider. Like ThreatInsights. The red team is handed the TIR and must build their attack scenarios around it. They cannot deviate from the intelligence-defined threat picture without formal change control.
This is not a bureaucratic nicety. It ensures the red team is simulating real, relevant adversaries not just chasing interesting vulnerabilities to make the report look good. The intelligence drives everything, the initial access vector, the persistence mechanisms, the target critical functions. If the intelligence says your biggest threat is a sophisticated state-aligned actor targeting SWIFT infrastructure via spear-phishing finance staff, that is what gets tested. 4 scenarios are generated covering the CIA triad along with a scenario X.
Structural separation of roles
The mandatory separation between the TISP and RTSP is one of TIBER-EU’s most distinctive structural features. Many red team vendors would prefer to handle both , it is commercially attractive and operationally convenient. The framework prohibits it for good reason: the intelligence provider must be objective. A red team that writes its own threat intelligence will consciously or not write scenarios it knows how to execute and to the skill of their own individual staff.
The role of Threat Intelligence in a TIBER-EU engagement
The ‘TI’ in TIBER is not decoration. Threat Intelligence is the foundation on which every subsequent decision in the engagement is made. Without a credible, high-quality TIR, the red team is operating without a mandate and anything they find risks being dismissed as not reflective of real adversarial behaviour, which is an issue.
What the Threat Intelligence Provider actually delivers
The TISP’s output is structured in two parts. The first is the Generic Threat Landscape Report (GTLR) — a sector-wide view of the threat environment, covering threat actor categories, observed TTPs (mapped to MITRE ATT&CK), and trends relevant to financial services. This contextualises the specific intelligence that follows.
The second, and more critical, output is the Targeted Threat Intelligence Report (TTIR). This is entity-specific intelligence developed through OSINT, technical reconnaissance, HUMINT sourcing where applicable, dark web monitoring, and analysis of threat actor campaigns that have historically targeted similar institutions. The TTIR defines the threat scenarios , specific adversary simulations that the Red Team must execute.
Intelligence quality determines engagement quality - A weak TIR produces weak red teaming. If the intelligence is generic, boilerplate, or not grounded in evidence of real threat actor behaviour targeting the entity or its sector, the engagement becomes an expensive red team exercise with a TIBER-EU label on it. Competent authorities are increasingly capable of distinguishing the two. Choosing your TIP carefully is wise and even then, pre-packaged scenarios shared across TIP's are common.
Intelligence tradecraft in the TIBER-EU context
The intelligence produced must meet a standard that practitioners from law enforcement, signals intelligence, or formal CTI backgrounds will recognise as structured analytic production. This is not a generic threat brief, it is an analytical product with sourcing, grading, confidence levels, and structured conclusions. Analytical rigor is essential.
TISPs must demonstrate provenance for threat actor attribution, distinguish between assessed and confirmed facts, and present alternative hypotheses where the evidence is ambiguous. Intelligence that asserts “APT29 is your primary threat” without source grading and a clearly articulated evidence base will not survive scrutiny from a competent white team.
We have put together a TIBER-EU Readiness Checklist which you are free download.
