ECB TIBER-EU Framework

European Union (coordinated by ENISA, adopted by national authorities and the ECB)

v2023

5 domains

20 controls

The ECB TIBER-EU Framework for Threat Intelligence-based Ethical Red Teaming, the European framework for controlled, intelligence-led red-team testing of the live production systems of financial entities. Defines a three-phase process (Preparation, Testing, Closure) supported by an optional jurisdiction-level Generic Threat Landscape, the roles of the White/Control Team, Blue Team, Red Team, threat-intelligence provider and the authority TIBER Cyber Team, and the deliverables (Targeted Threat Intelligence Report, Red Team Test Plan and Report, Blue Team Report, replay/purple teaming, Test Summary Report, Remediation Plan and attestation). TIBER-EU underpins mutual recognition of threat-led penetration testing under DORA.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

TIBER-EU Governance and DORA Alignment

2 controls

Controls in the TIBER-EU Governance and DORA Alignment domain of ECB TIBER-EU Framework — 2 controls
Code	Title	Description
TIBER-GOV-1	TIBER-EU adoption and programme governance	The TIBER-EU framework is adopted and governed at the jurisdiction level (national implementation), with a TIBER Cyber T...
TIBER-GOV-2	Cross-border coordination (TIBER-XX)	For entities operating across borders or as a group, tests are coordinated across the relevant authorities (TIBER-XX) to...

TIBER-EU Phase 0: Generic Threat Landscape

1 controls

Controls in the TIBER-EU Phase 0: Generic Threat Landscape domain of ECB TIBER-EU Framework — 1 controls
Code	Title	Description
TIBER-0.1	Generic Threat Landscape	A Generic Threat Landscape (GTL) for the jurisdiction/sector is produced (by the relevant authorities) to inform the thr...

TIBER-EU Phase 1: Preparation

5 controls

Controls in the TIBER-EU Phase 1: Preparation domain of ECB TIBER-EU Framework — 5 controls
Code	Title	Description
TIBER-1.1	Test initiation and launch	The test is initiated and launched through engagement between the entity and the authority's TIBER Cyber Team (TCT), con...
TIBER-1.2	White Team establishment and confidentiality	A small White Team (Control Team) led by a White Team Lead is established to manage the test confidentially; the Blue Te...
TIBER-1.3	Scoping of critical functions and flags	The White Team and TCT define the scope, including the critical or important functions, the underlying systems and peopl...
TIBER-1.4	Procurement of threat intelligence and red team providers	The entity procures qualified threat-intelligence and red-team providers in line with the TIBER-EU Services Procurement...
TIBER-1.5	Risk management for live testing	A risk management approach is agreed for testing on live production systems, including controls, escalation procedures a...

TIBER-EU Phase 2: Testing

4 controls

Controls in the TIBER-EU Phase 2: Testing domain of ECB TIBER-EU Framework — 4 controls
Code	Title	Description
TIBER-2.1	Targeted Threat Intelligence Report	The threat-intelligence provider prepares a Targeted Threat Intelligence (TTI) Report on the entity, identifying realist...
TIBER-2.2	Red Team Test Plan	The red-team provider develops a Red Team Test Plan that translates the threat scenarios from the TTI Report into attack...
TIBER-2.3	Active red team testing on live production	The red team conducts active testing against the entity's live production systems supporting critical functions, attempt...
TIBER-2.4	Blue Team detection and response (unaware)	The Blue Team responds to the activity as it would to a real attack, without prior knowledge, providing a realistic meas...

TIBER-EU Phase 3: Closure

8 controls

Controls in the TIBER-EU Phase 3: Closure domain of ECB TIBER-EU Framework — 8 controls
Code	Title	Description
TIBER-3.1	Red Team Test Report	The red-team provider drafts a Red Team Test Report detailing the scenarios executed, the attack paths, findings and obs...
TIBER-3.2	Blue Team Report	The Blue Team produces a report on what it detected and how it responded, to be compared with the red-team activity.
TIBER-3.3	Replay and purple teaming workshop	A replay/purple-teaming workshop is held where the red and blue teams walk through the attack scenarios together to maxi...
TIBER-3.4	360-degree feedback meeting	A 360-degree feedback meeting is held among the key stakeholders (entity, providers, authority) to review the test and t...
TIBER-3.5	Test Summary Report	A Test Summary Report on the findings (including the Remediation Plan) is produced, summarising the test outcomes for th...
TIBER-3.6	Remediation Plan	The entity agrees and finalises a Remediation Plan for the findings, in close consultation with the supervisor/authority...
TIBER-3.7	Attestation	An attestation is provided confirming that the test was conducted in accordance with the TIBER-EU requirements.
TIBER-3.8	Results sharing and mutual recognition	Test results and attestations may be shared with relevant authorities, and (for cross-border/group tests) recognised acr...

Maps to 2 other frameworks

20 total controls

DORA

3 source controls mapped|2 target controls covered

15%

NIST SP 800-53 Rev 5

1 source controls mapped|1 target controls covered

Compare ECB TIBER-EU Framework with DORA

Frequently Asked Questions

What is ECB TIBER-EU Framework?

ECB TIBER-EU Framework is a compliance framework from European Union (coordinated by ENISA, adopted by national authorities and the ECB) with 5 domains and 20 controls. The ECB TIBER-EU Framework for Threat Intelligence-based Ethical Red Teaming, the European framework for controlled, intelligence-led red-team testing of the live production systems of financial entities. Defines a three-phase process (Preparation, Testing, Closure) supported by an optional jurisdiction-level Generic Threat Landscape, the roles of the White/Control Team, Blue Team, Red Team, threat-intelligence provider and the authority TIBER Cyber Team, and the deliverables (Targeted Threat Intelligence Report, Red Team Test Plan and Report, Blue Team Report, replay/purple teaming, Test Summary Report, Remediation Plan and attestation). TIBER-EU underpins mutual recognition of threat-led penetration testing under DORA. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ECB TIBER-EU Framework have?

ECB TIBER-EU Framework has 20 controls organised across 5 domains. The largest domains are TIBER-EU Phase 3: Closure (8 controls), TIBER-EU Phase 1: Preparation (5 controls), TIBER-EU Phase 2: Testing (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ECB TIBER-EU Framework map to?

ECB TIBER-EU Framework maps to 2 other compliance frameworks. The top mapping partners are DORA (15% coverage), NIST SP 800-53 Rev 5 (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ECB TIBER-EU Framework compliance?

Start your ECB TIBER-EU Framework compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ECB TIBER-EU Framework requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 20 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required