Updated: June 2026

 TIBER-EU has become a central framework for cyber resilience in 2026, particularly for financial entities preparing for DORA-aligned threat-led penetration testing. Developed by the European Central Bank and EU national central banks, it provides a structured approach to intelligence-led ethical red teaming, using realistic threat scenarios to test people, processes and technologies. Since DORA became applicable, TIBER-EU has been updated to align with regulatory technical standards for TLPT. For selected financial entities, this means advanced testing is no longer just best practice. It is part of proving operational resilience under controlled, realistic attack conditions. 

 

rEDTEAMPHYS

 

What Is TIBER-EU?

TIBER-EU stands for Threat Intelligence-Based Ethical Red Teaming for the European Union. It is a European framework for controlled, intelligence-led red team testing designed to help organisations understand how well they can withstand realistic cyber attacks.

Unlike a standard penetration test, TIBER-EU does not focus only on identifying technical weaknesses in a defined system or application. It is broader, more adversary-led and more focused on operational resilience. It uses threat intelligence to simulate the tactics, techniques and procedures of realistic threat actors, then tests how well an organisation can prevent, detect, respond to and recover from that activity.

The framework was originally developed for entities providing core financial infrastructure and the authorities that oversee them. However, its principles can also support organisations in other critical sectors that want to validate resilience against sophisticated threat scenarios.

A TIBER-EU test normally involves several key participants, including the organisation being tested, a control team, threat intelligence providers, red team testers, blue team defenders and, where relevant, the competent authority or TLPT authority overseeing the process.

Why TIBER-EU Matters in 2026

Financial services organisations face persistent pressure from cyber criminals, state-linked actors, hacktivists and other motivated threat groups. Banks, insurers, payment providers, investment firms, fintechs and market infrastructure organisations hold valuable data, move money, support critical services and form part of the wider economic system.

That makes resilience essential.

In 2026, the question is not simply whether an organisation has security controls in place. The real question is whether those controls work when tested against a realistic, intelligence-led attack. Can attackers move from an initial foothold to critical systems? Can defenders detect the activity quickly enough? Do escalation routes work under pressure? Can business-critical functions continue during disruption?

TIBER-EU helps answer those questions by testing real-world capability rather than relying only on policies, audits or point-in-time technical assessments. It provides a structured way to test resilience, uncover gaps and turn findings into practical improvements.

How TIBER-EU Connects to DORA

DORA, the Digital Operational Resilience Act, has raised expectations across the EU financial sector. It covers ICT risk management, incident reporting, third-party risk, resilience testing and oversight of critical ICT third-party providers.

One of DORA’s most important requirements is threat-led penetration testing for selected financial entities. This is where TIBER-EU has become especially relevant.

DORA does not make TIBER-EU mandatory for every financial organisation. Instead, DORA introduces TLPT requirements for financial entities identified by competent authorities, based on factors such as scale, systemic importance, ICT risk profile and critical or important functions.

TIBER-EU has been updated to align with DORA’s TLPT requirements and can be used as a recognised methodology for conducting DORA-aligned testing in a controlled, safe and consistent way. For organisations already familiar with TIBER-EU, this provides continuity. For organisations newly brought into scope, it provides a clear structure for planning and executing advanced testing.

What Is Threat-Led Penetration Testing Under DORA?

Threat-led penetration testing, or TLPT, is an advanced form of resilience testing that uses threat intelligence to simulate realistic cyber attacks against an organisation’s critical or important functions.

Under DORA, selected financial entities must carry out TLPT at least every three years. The test should cover several or all critical or important functions and should be performed on live production systems supporting those functions. This makes TLPT much more significant than a routine penetration test or vulnerability assessment.

The aim is not simply to identify technical exposures. The aim is to understand how a real attacker could target critical services, how far they could progress, whether they would be detected and how effectively the organisation could respond.

Because TLPT can involve live production systems, strong governance is essential. Testing must be carefully planned, authorised and controlled through clear rules of engagement, risk safeguards and communication routes.

 

pentest-1

 

TIBER-EU Vs Traditional Penetration Testing

Traditional penetration testing remains important, but it serves a different purpose from TIBER-EU.

A penetration test usually focuses on a defined asset, application, network, cloud environment or system. It helps identify technical weaknesses and validate whether they could be exploited. It is often used for assurance, compliance or remediation validation.

TIBER-EU is broader. It starts with threat intelligence, defines realistic attack scenarios, targets critical functions and tests detection, response and resilience as well as technical controls.

Traditional Penetration Testing TIBER-EU Threat-Led Testing
Tests specific systems, applications or environments Tests resilience against realistic threat actor behaviour
Often focused on technical exposures Focuses on critical functions, attack paths and operational impact
Usually scoped around known assets Uses threat intelligence to shape realistic attack scenarios
Often known to defenders May test detection and response under controlled surprise conditions
Produces technical findings Produces findings across prevention, detection, response and resilience
Useful for regular assurance Useful for high-impact resilience validation

Both forms of testing matter. Penetration testing helps organisations identify and fix specific technical weaknesses. TIBER-EU helps assess whether the organisation can defend critical services against realistic attacks.

The Main Phases of a TIBER-EU Test

A TIBER-EU assessment is carefully structured to ensure the test is realistic, safe and controlled. While national implementation and DORA-aligned requirements may influence specific details, the process is typically built around preparation, threat intelligence, red team testing, purple teaming, closure and remediation.

Preparation

The preparation phase defines the scope, governance, roles, objectives and control measures for the test. This includes identifying the critical or important functions to be tested, selecting providers, establishing the control team and ensuring that legal, operational and risk considerations are addressed.

Preparation is vital because TIBER-EU testing may involve live production systems. Without strong governance, communication controls and safety measures, a realistic test could create avoidable operational risk.

Threat Intelligence

Threat intelligence is one of the defining features of TIBER-EU. The threat intelligence provider develops a view of the most relevant adversaries, likely attack paths, sector-specific threats, current tactics and realistic scenarios.

This ensures red team activity is not generic. It is based on the kinds of attacks the organisation is most likely to face.

Red Team Testing

The red team uses the intelligence-led scenarios to simulate attacker behaviour. The aim is to test whether the organisation can detect, respond to and contain activity before critical functions are affected.

This activity is controlled, planned and bounded by agreed rules of engagement. However, it should still be realistic enough to test operational resilience under meaningful pressure.

Purple Teaming

Under the updated TIBER-EU framework, purple teaming is a mandatory element. It brings together red team testers, blue team defenders and the control team to review what happened, strengthen detection logic, improve response processes and turn test activity into practical learning.

This is where the organisation moves from testing to improvement. The value is not only in identifying what worked or failed, but in improving the ability to respond to similar activity in the future.

Closure and Remediation

The closure phase includes reporting, lessons learned, remediation planning and, where applicable, engagement with the relevant authority. Findings should be translated into practical improvements, with clear ownership, prioritisation and timelines.

A TIBER-EU test should not end with a report. Its real value comes from remediation, detection tuning, control improvement and operational learning.

Who Should Care About TIBER-EU?

TIBER-EU is most relevant to financial entities and organisations operating in or supporting critical financial services. This includes banks, insurers, payment providers, investment firms, market infrastructure providers, financial technology firms and certain third-party technology providers that support critical or important functions.

For financial entities selected for DORA TLPT, the framework is especially important because it provides a structured approach to meeting advanced testing expectations. For entities not directly in scope, TIBER-EU can still provide a strong model for testing high-impact cyber risks.

Its principles are also relevant beyond financial services. Organisations in critical sectors can use intelligence-led red teaming to understand how realistic adversary activity could affect essential services, business continuity and resilience.

What Makes TIBER-EU Different?

TIBER-EU is different because it connects threat intelligence, red teaming, live-system testing, detection capability, response maturity and remediation into a single controlled process.

The aim is not to produce a long list of technical findings. The aim is to understand whether critical functions can withstand realistic cyber attack scenarios.

That makes the exercise valuable for security teams and senior leaders. A well-run TIBER-EU test can expose gaps in governance, escalation, communications, monitoring, third-party dependencies, identity controls, cloud visibility, network segmentation and incident response processes.

In other words, it tests the organisation, not just the technology stack.

Why Live Production Testing Matters

One of the most important aspects of DORA-aligned TLPT is the focus on live production systems supporting critical or important functions.

This matters because test environments rarely reflect the full complexity of the real organisation. Production systems include live identities, real business processes, operational dependencies, monitoring tools, third-party integrations, privileged access pathways and human response processes.

Testing against live systems must be carefully governed, but it provides a more accurate view of resilience. It shows whether controls work in the environment attackers would actually target.

The key is control. Live-system testing must be conducted under strict rules of engagement, with appropriate safeguards, escalation routes and risk management processes in place.

Common Challenges When Preparing for TIBER-EU

TIBER-EU can be complex to prepare for, especially for organisations conducting this type of assessment for the first time.

Common challenges include defining the right scope, identifying critical functions, coordinating internal teams, selecting qualified providers, preparing legal and operational safeguards, managing business risk, ensuring sufficient logging and monitoring, and creating a clear remediation process.

Organisations may also discover that their internal processes are not ready for this kind of test. For example, they may lack clear escalation routes, centralised asset visibility, mature identity controls, tested incident response plans or visibility across outsourced services.

That is why preparation should begin well before the test window. TIBER-EU should not be treated as a one-off compliance project. It should be part of a wider resilience programme.

How To Prepare For A TIBER-EU Or DORA TLPT Assessment

Organisations should begin by understanding whether they are likely to be in scope and what their competent authority expects. They should then assess their current testing maturity, critical functions, third-party dependencies and ability to support a controlled live-system test.

Preparation Area Why It Matters
Critical function mapping Defines what needs to be tested and why it matters to the business
Asset and dependency visibility Identifies systems, data, identities, suppliers and technologies supporting critical functions
Threat intelligence readiness Ensures testing is based on relevant and credible adversary behaviour
Logging and detection coverage Determines whether the organisation can see and investigate red team activity
Incident response readiness Ensures teams can escalate, investigate and respond under realistic pressure
Legal and risk governance Controls the safety, authorisation and boundaries of the test
Provider selection Ensures threat intelligence and red team providers have the required expertise
Remediation planning Turns findings into measurable improvements

This preparation improves the quality of the test and reduces the risk of avoidable disruption.

What Good TIBER-EU Outcomes Look Like

A successful TIBER-EU test is not necessarily one where the organisation blocks every action immediately. Realistic testing often reveals gaps, and that is part of the value.

Good outcomes include a clearer understanding of attack paths, improved detection logic, stronger response playbooks, better escalation processes, prioritised remediation, improved third-party risk visibility and stronger board-level understanding of operational resilience.

The best organisations use TIBER-EU results to strengthen their wider security programme. They connect findings to MDR, CTEM, incident response, identity security, cloud security, vulnerability management, business continuity and governance.

How Integrity360 Can Help

Integrity360 supports organisations with the services and expertise needed to prepare for, execute and learn from advanced cybersecurity testing.

Our cybersecurity testing specialists can support penetration testing, red team exercises, social engineering, cloud security testing, application security testing and configuration reviews. We also help organisations strengthen the broader capabilities needed for TIBER-EU and DORA-aligned TLPT, including threat intelligence, MDR, incident response, cyber risk advisory, third-party risk management and threat exposure management.

For financial entities, the priority is not just passing a test. It is building a security and resilience programme that can withstand realistic threat actor behaviour.

Contact Us