The Austrian National Bank (OeNB) and the Austrian Financial Market Authority (FMA) have launched mandatory simulated cyberattacks using “ethical hackers” for selected financial companies in Austria, supported by publication of an updated TIBER-AT Implementation Guide implementing key requirements of the EU Digital Operational Resilience Act (DORA). The framework is based on the European System of Central Banks’ Threat Intelligence-Based Ethical Red Teaming (TIBER) approach and reflects the European Supervisory Authorities’ technical regulatory standard on threat-led penetration testing (TLPT). Under DORA and the TLPT standard, systemically important financial entities providing core financial services are, in principle, required to carry out such tests on a three-year cycle, using controlled simulations of real attacks to identify weaknesses in critical IT systems. OeNB’s TIBER Cyber Team Austria will oversee the tests to ensure consistent, rules-compliant execution, with formal attestation after completion by the FMA or the European Central Bank confirming legal conformity; the TIBER-AT framework was first applied in Austria through a pilot phase following publication of the guide in November 2023 and has now been updated to reflect the new regulatory requirements.
Austrian National Bank (OeNB) 2025-07-29
Austrian National Bank and Austrian Financial Market Authority begin mandatory TIBER-AT threat-led penetration testing for selected financial firms
The Austrian National Bank and Financial Market Authority have initiated mandatory simulated cyberattacks for selected financial companies, supported by an updated TIBER-AT Implementation Guide under the EU Digital Operational Resilience Act. The framework mandates systemically important financial entities to conduct threat-led penetration testing every three years. The OeNB’s TIBER Cyber Team Austria will oversee these tests, with formal attestation by the FMA or the European Central Bank to ensure compliance.