What It Is
The EU-wide framework for threat intelligence-based ethical red teaming, published by the ECB in 2018. Built on CBEST’s foundation but designed for pan-European mutual recognition. Three mandatory phases with explicit role definitions:
-
Generic Threat Landscape (GTL) — Sector-wide threat analysis. What threats face the financial sector as a whole? What TTPs are trending? This phase is absent in CBEST and provides broader context before institution-specific targeting begins.
-
Targeted Threat Intelligence (TTI) — Institution-specific scenario development by an accredited TI provider. Based on the GTL plus intelligence about adversaries that specifically target this institution.
-
Red Team Test (RT) — Execution against critical live production systems by an accredited red team. The blue team is unaware. A White Team (small internal group) coordinates with the red team and the relevant national authority.
National Adoptions
TIBER-EU is adopted nationally with local adaptations:
- TIBER-NL (Netherlands) — First national adoption
- TIBER-DE (Germany) — Bundesbank implementation
- TIBER-FI (Finland) — Bank of Finland implementation
- And others across the EU
Why It Matters
Mutual recognition is the breakthrough. A TIBER-EU test conducted under TIBER-NL supervision is recognized by other national authorities — meaning a pan-European bank doesn’t need to run separate red team exercises for each regulator. This reduces duplicative testing while maintaining a consistent quality standard.
The Generic Threat Landscape phase is also significant. It means every TIBER-EU engagement starts with sector-wide context, not just institution-specific tunnel vision. This catches threats the institution might not have on their radar.
When to Use It
EU financial institutions, central banks, financial market infrastructures, and any EU-regulated entity subject to DORA (Digital Operational Resilience Act), which mandates TLPT (Threat-Led Penetration Testing) aligned with TIBER-EU methodology.
The Offensive Angle
The White Team concept deserves attention. A small internal group knows the test is happening and manages logistics (emergency stop procedures, legal protections, scope boundaries). Everyone else — including the SOC, incident response team, and CISO — operates as if any activity detected is real. This creates the most realistic adversary simulation possible within legal and ethical bounds.
Pairs Well With
- CBEST — The UK predecessor that TIBER-EU builds upon
- PTES — Technical engagement framework for the red team execution phase
- NIST 800-115 — Governance and planning discipline that complements TIBER-EU’s regulatory structure