Bank of Italy, CONSOB and IVASS have updated the TIBER-IT National Guide for advanced cybersecurity testing in the Italian financial sector to reflect the requirements introduced by Regulation (EU) 2022/2554 on digital operational resilience (DORA). The revised guide is positioned as the single methodological framework for Italian financial entities to carry out Threat-Led Penetration Testing (TLPT) of their ICT systems, whether required under DORA or conducted voluntarily by entities outside the mandatory scope. DORA requires certain financial entities, identified by the competent authorities using qualitative and quantitative criteria, to perform TLPT at least once every three years. The updated TIBER-IT Guide incorporates the latest TLPT provisions under DORA, the related TLPT delegated regulation adopted by the European Commission, and the updated version of TIBER-EU.
Bank of Italy 2025-12-11
Bank of Italy, CONSOB and IVASS update TIBER-IT guide to align threat-led penetration testing with DORA
The Bank of Italy, CONSOB, and IVASS have updated the TIBER-IT National Guide for cybersecurity testing in the Italian financial sector to align with Regulation (EU) 2022/2554 on digital operational resilience (DORA). The guide serves as the unified framework for Threat-Led Penetration Testing (TLPT) of ICT systems, applicable to both mandatory and voluntary testing. DORA mandates financial entities to conduct TLPT every three years, with the updated guide incorporating the latest provisions and the European Commission's delegated regulation.