The Italian Securities Commission (Consob), together with the Bank of Italy and IVASS, published an updated national TIBER-IT guide for advanced cybersecurity testing in the Italian financial sector to incorporate requirements stemming from the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). The updated TIBER-IT is positioned as the single methodological framework for Italian financial entities to conduct threat-led penetration testing (TLPT), both where such tests are mandatory under DORA and where entities choose to run them voluntarily. Under DORA, certain financial entities identified by the competent authorities using qualitative and quantitative criteria must perform TLPT on their information and communication technology systems at least every three years. The revised guide reflects the TLPT provisions in DORA, the European Commission’s delegated regulation on TLPT, and the updated TIBER-EU framework.
Italian Securities Commission (Consob) 2025-12-11
Italian Securities Commission, Bank of Italy and IVASS update the TIBER-IT guide to align threat-led penetration testing with the EU Digital Operational Resilience Act
The Italian Securities Commission, with the Bank of Italy and IVASS, released an updated TIBER-IT guide for cybersecurity testing in the financial sector, aligning with the EU Digital Operational Resilience Act (DORA). This guide serves as the framework for mandatory and voluntary threat-led penetration testing (TLPT) by financial entities. It incorporates DORA's TLPT requirements, the European Commission’s delegated regulation, and the updated TIBER-EU framework.