TIBER-EU · TIBER-DE · DORA TLPT

TIBER-EU: threat-led red teaming as the ECB defined it.

A guide for CISOs, DORA leads and supervisory contacts: what TIBER-EU is, who runs it, how an operation unfolds — and where TIBER-DE, DORA TLPT and CBEST diverge.

ECB framework 2018·ENISA contributor 2021–2024·DORA Art. 26
What is TIBER-EU?

A framework, not a tool.

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) was published by the European Central Bank in 2018. It describes how an intelligence-led attack against a financial entity's production systems is scoped, executed and reviewed. The framework defines roles, phases and governance — not the specific techniques.

It is implemented nationally as TIBER-DE (Deutsche Bundesbank), TIBER-NL, TIBER-IT and others. The TIBER-EU core stays identical so results remain comparable across countries and supervisors.

The four roles

Who sits at the table in a TIBER exercise?

White team

A very small circle inside the firm that coordinates the exercise. Everyone else — SOC included — stays in the dark.

Threat intelligence provider

Delivers the firm-specific Targeted Threat Intelligence Report that drives scenario selection.

Red team provider

Runs the covert operation against live production systems. This is the role Exploit Labs delivers.

TIBER Cyber Team (TCT)

Supervisory side — Deutsche Bundesbank in Germany. Oversees scope, execution and attestation.

Process

Three phases, six to nine months.

1. Preparation phase

Scope, critical functions, white team, TI and RT provider procurement, submission of the scope specification to the Bundesbank.

2. Testing phase

Targeted Threat Intelligence Report → attack scenarios → covert red team operation on live production systems (10–14 weeks active).

3. Closure phase

Report, replay workshop with the blue team, purple teaming, remediation plan, joint 360° report and attestation.

Related frameworks

TIBER-DE, DORA TLPT, CBEST — how do they differ?

FrameworkSupervisorApplies toRelationship to TIBER-EU
TIBER-DEDeutsche BundesbankGerman financial institutions (voluntary / DORA-TLPT implementation)National 1:1 implementation of TIBER-EU
DORA TLPTNational supervisor (BaFin/Bundesbank in Germany)In-scope financial entities under DORA Art. 26 (mandatory)TIBER-EU is the recognised methodology for the TLPT
CBESTBank of England / PRASignificant UK financial institutionsPredecessor and sister framework — comparable structure

In short: TIBER-EU is the methodology. TIBER-DE is its German implementation. DORA TLPT is the obligation that uses the methodology.

Why Exploit Labs

A team that knows the rulebook — because we helped write it.

ENISA contributor 2021–2024

Contributed to European TLPT frameworks and guidance documents.

DORA TLPT completed 2024

Full TLPT exercise delivered for a regulated entity — end-to-end to the TIBER-EU methodology.

One team, one point of contact

No subcontracting. The same operators from kick-off through attestation.

FAQ

Frequently asked questions about TIBER-EU

What is TIBER-EU?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the framework published by the European Central Bank in 2018 for intelligence-led red teaming across the EU financial sector. It defines how a realistic, threat-led attack is executed against a firm's production systems — with clear roles for the white team, the threat intelligence provider, the red team provider and the national TIBER Cyber Team (in Germany: Deutsche Bundesbank).

Who has to run a TIBER exercise?

TIBER-EU is implemented nationally (TIBER-DE, TIBER-NL, TIBER-IT and others) and has so far been used mostly on a voluntary basis by significant banks, insurers and financial market infrastructures. Since 17 January 2025, DORA Article 26 makes Threat-Led Penetration Tests (TLPT) mandatory for in-scope financial entities — and TIBER-EU is the methodology recognised by the DORA RTS.

How is TIBER-EU different from a normal red team?

Three things are specific to TIBER: (1) supervisory involvement via a national TIBER Cyber Team, (2) a formal threat-intelligence report that drives scenario selection, and (3) mandatory testing on live production systems with a very small white team. A regular red team is more flexible but is not TIBER-compliant without these three elements.

How long does a TIBER exercise take?

Realistically 6–9 months from kick-off to final report: 4–6 weeks of threat intelligence, 10–14 weeks of active red-team execution, then reporting, a replay workshop with the blue team and purple teaming. The active testing window is the shorter part.

Can Exploit Labs run a TIBER exercise?

Yes. Exploit Labs was an ENISA contributor to European TLPT frameworks from 2021 to 2024 and completed a DORA TLPT exercise for a regulated institution in 2024. We deliver the red-team role and coordinate with a separately mandated threat-intelligence provider.

TIBER, TLPT or a focused red team?

We help you decide which format matches your question, your regulatory status and your maturity.