Austrian Financial Market Authority and Oesterreichische Nationalbank make TIBER-AT cyber attack simulations mandatory for selected financial undertakings

The Oesterreichische Nationalbank (OeNB) and the Austrian Financial Market Authority (FMA) published a revised TIBER-AT Implementation Guide, initiating mandatory simulated cyber attacks by “ethical hackers” for selected financial undertakings in Austria. The update implements a key requirement of the EU Digital Operational Resilience Act (DORA) and the European Supervisory Authorities’ regulatory technical standards on Threat-Led Penetration Testing (TLPT). TIBER (Threat Intelligence-Based Ethical Red Teaming) is an European System of Central Banks framework designed to test cyber resilience by replicating real attacks under strictly controlled conditions and identifying vulnerabilities in critical IT systems. Following the application of DORA and the TLPT standards, systemically relevant financial undertakings that provide central financial services will, as a rule, be required across the EU to conduct these exercises on a three-year cycle; Austria previously ran TIBER-EU in a pilot phase from November 2023 with voluntary participation. OeNB’s TIBER Cyber Team Austria (TCT-AT) will accompany the tests to ensure consistent execution and compliance with the rules, and completed tests will be subject to an official certification process by the FMA or the European Central Bank to confirm conformity with legal requirements.