TIBER-EU was the first EU-wide guideline, issued in 2018, on how authorities, critical entities (including financial) and threat intelligence/red-team providers should operate and test on cyber security using controlled cyberattacks. It is a common framework that delivers a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. These tests mimic the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to entities. The test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities. The test does not result in a pass or fail but is intended to enable the entity to learn and evolve to a higher level of cyber maturity.
Financial entities in scope of the TIBER-EU framework are payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector.
TIBER-EU introduced five different teams with specialised roles:
Within DORA’s aim to increase digital operational resilience, new requirements oblige certain financial entities to conduct advanced testing based on threat-led penetration testing (TLPT), thus requiring all EU member states to follow the TIBER-EU framework. Specifically, DORA requires authorities to identify financial entities subject to the obligation to perform TLPT.
To help authorities identify the applicable financial entities, DORA specifies that financial entities may only use testers for the carrying out of TLPT which:
The consultation aims to obtain the stakeholders’ opinions before the implementation of the TIBER-EU framework by determining:
Interested stakeholders are invited to submit their opinion via email to the MFSA by not later than 6th April 2023.
For further information and assistance kindly contact Dr Ian Gauci.