European Central Bank publishes guidance for implementing TIBER-EU threat intelligence-led red team testing

The European Central Bank has published an implementation guide for the TIBER-EU framework, setting out how authorities and entities can run controlled, intelligence-led ethical red team tests on live production systems to assess and improve cyber resilience. The document also positions TIBER-EU as operational guidance for conducting Threat-Led Penetration Tests (TLPT) under Regulation (EU) 2022/2554 (the Digital Operational Resilience Act), with the aim of supporting consistency and mutual recognition across EU jurisdictions. The guide describes adoption as voluntary for jurisdictions, requiring a national or European implementation document with minimum content and notification to the ECB-hosted TIBER-EU Knowledge Centre, which monitors compatibility across implementations. It sets out roles for TIBER authorities and TIBER Cyber Teams, the tested entity’s Control Team, an external Threat Intelligence Provider (mandatory) and Red Team Testers (external strongly encouraged, with limited exceptions for internal testers), plus confidentiality and risk management expectations given testing on critical or important functions. The testing lifecycle is structured into preparation, testing and closure phases, including scoping of critical or important functions and “flags”, a threat intelligence report feeding a red team test plan, a minimum 12-week active testing period, and post-test reporting, replay and purple teaming, remediation planning and a TIBER authority attestation that underpins mutual recognition.