Intelligence-Led Red Teaming v1.0

TIBER-EU

TIBER-EU — Threat Intelligence-Based Ethical Red Teaming

European Central Bank (ECB) Source Document →

What It Is

The EU-wide framework for threat intelligence-based ethical red teaming, published by the ECB in 2018. Built on CBEST’s foundation but designed for pan-European mutual recognition. Three mandatory phases with explicit role definitions:

  1. Generic Threat Landscape (GTL) — Sector-wide threat analysis. What threats face the financial sector as a whole? What TTPs are trending? This phase is absent in CBEST and provides broader context before institution-specific targeting begins.

  2. Targeted Threat Intelligence (TTI) — Institution-specific scenario development by an accredited TI provider. Based on the GTL plus intelligence about adversaries that specifically target this institution.

  3. Red Team Test (RT) — Execution against critical live production systems by an accredited red team. The blue team is unaware. A White Team (small internal group) coordinates with the red team and the relevant national authority.

National Adoptions

TIBER-EU is adopted nationally with local adaptations:

  • TIBER-NL (Netherlands) — First national adoption
  • TIBER-DE (Germany) — Bundesbank implementation
  • TIBER-FI (Finland) — Bank of Finland implementation
  • And others across the EU

Why It Matters

Mutual recognition is the breakthrough. A TIBER-EU test conducted under TIBER-NL supervision is recognized by other national authorities — meaning a pan-European bank doesn’t need to run separate red team exercises for each regulator. This reduces duplicative testing while maintaining a consistent quality standard.

The Generic Threat Landscape phase is also significant. It means every TIBER-EU engagement starts with sector-wide context, not just institution-specific tunnel vision. This catches threats the institution might not have on their radar.

When to Use It

EU financial institutions, central banks, financial market infrastructures, and any EU-regulated entity subject to DORA (Digital Operational Resilience Act), which mandates TLPT (Threat-Led Penetration Testing) aligned with TIBER-EU methodology.

The Offensive Angle

The White Team concept deserves attention. A small internal group knows the test is happening and manages logistics (emergency stop procedures, legal protections, scope boundaries). Everyone else — including the SOC, incident response team, and CISO — operates as if any activity detected is real. This creates the most realistic adversary simulation possible within legal and ethical bounds.

Pairs Well With

  • CBEST — The UK predecessor that TIBER-EU builds upon
  • PTES — Technical engagement framework for the red team execution phase
  • NIST 800-115 — Governance and planning discipline that complements TIBER-EU’s regulatory structure