Cybernexum Logo

DORA and TIBER: Building Cyber Resilience in Finance

By Cybernexum Intel
DORATIBER-EUfinancial servicescompliancered teamingcyber resilience

Digital Operational Resilience Act (DORA) is an EU regulation enacted to ensure that financial entities (banks, insurers, investment firms, crypto firms, etc.) can withstand, respond to, and recover from ICT disruptions.  DORA takes effect 17 Jan 2025, harmonizing digital resilience rules across the EU’s financial sector. It covers ICT risk management, incident reporting, third‑party risk, resilience testing, information sharing and oversight of critical ICT service providers. By requiring a common “playbook” for digital shocks, DORA pulls even large institutions into a uniform framework: in total it applies to 20+ types of financial entities (12 under ESMA alone) and to ICT third‑party providers designated as critical. Figure: DORA (Digital Operational Resilience Act) – EU cyber‑resilience framework.

European regulators developed DORA in response to rising cyber threats and third‑party risks. Nearly one‑fifth of reported cyber incidents over the past 20 years hit the financial sector, causing roughly $12 billion in losses (about $2.5B since 2020). Outages or hacks can cascade across institutions (e.g. a cloud or payment provider failure affecting many banks), so DORA enforces strict ICT governance. For example, institutions must maintain a comprehensive ICT risk‑management framework, maintain inventories of digital assets and interdependencies, and plan for ICT disruptions. They also must catalog all third‑party service providers and implement exit/continuity plans and tighter contracts for critical providers. In other words, any data center, cloud platform or fintech whose outage could cripple financial functions is swept into DORA’s scope, with new oversight powers for regulators.

  • ICT Risk Management: Institutions must follow detailed policies, processes and controls to actively identify and mitigate digital risks. This includes asset inventories, vulnerability scanning (even weekly scans), strong patching and encryption, and board‑level oversight.
  • Third‑Party Risk: DORA extends rules to ICT suppliers. Critical third‑party providers (CTPPs) – e.g. cloud or telecom firms whose failure could disrupt finance – must implement robust resilience measures (risk management, incident reporting, business continuity, etc.) and agree to audits by regulators.
  • Resilience Testing: Firms must run both basic tests (e.g. regular vulnerability scans and penetration tests) and advanced threat‑led tests. The most rigorous test required is Threat‑Led Penetration Testing (TLPT) at least every 3 years for most financial entities (larger entities or higher‑risk ones may be tested more often).
  • Incident Reporting: DORA mandates standardized reporting of major ICT incidents. For severe incidents, institutions must notify regulators rapidly (e.g. within 4 hours) and publish follow-up reports. This ensures lessons are shared and sector‑wide risks are tracked.
  • Information Sharing: The regulation encourages sharing threat intelligence across the sector, building on practices from ENISA and other EU initiatives.
  • Oversight of CTPPs: National and EU authorities can designate CTPPs and perform direct audits and require evidence of compliance (a new EU oversight framework is being set up).

DORA’s requirements are ambitious and interconnected. For example, a bank must prove it has clearly mapped business services to underlying tech, and then regularly test those services against real‑world cyberattack scenarios. In fact, regulators explicitly based DORA’s advanced testing requirements on existing frameworks like TIBER‑EU.

What is TIBER‑EU? Threat‑Led Red‑Teaming for Financial Resilience

TIBER‑EU is an EU framework for Threat Intelligence‑based Ethical Red Teaming. It defines a rigorous, intelligence‑driven red‑team process to simulate sophisticated attacks on core financial entities. A typical TIBER‑EU engagement has three phases:

  • Preparation: Define scope and objectives. The entity identifies its critical functions/systems and aligns with the national competent authority. A threat intelligence provider gathers intelligence on relevant threat actors (for example, advanced persistent threat groups targeting the sector) to shape realistic attack scenarios.
  • Testing (Red Team Exercise): Guided by the gathered intelligence, a hired red‑team conducts a controlled cyberattack (using the adversary’s known tactics, techniques and procedures). They attempt to breach agreed targets without alerting the organization’s own defenders (blue team). Meanwhile, a control (white) team ensures the test stays safe. This phase closely mimics real threats and is not a simple “pen‑test” of individual systems, but an end‑to‑end breach simulation.
  • Closure: After the exercise, all parties (red, blue, intelligence, and regulators) review the findings. The goal is not to grade pass/fail, but to reveal strengths and weaknesses in detection, response and controls. Any gaps identified are fed into remediation plans. Often a “purple‑team” session (joint red/blue debrief) is conducted to validate improvements.

Figure: Threat‑led testing involves cross‑functional teams (red attackers, blue defenders, intelligence analysts) working under strict control.

TIBER‑EU was jointly developed by the ECB and national banks and first published in 2018; it was updated in 2024 to align fully with DORA’s threat‑led testing standards. The updated framework now mandates integration of purple teaming, harmonized terminology, and stricter timelines to mirror DORA’s TLPT rules. Dozens of EU countries (Austria, Belgium, Czechia, Denmark, Finland, France, Germany, etc.) and the ECB have adopted TIBER‑EU, enabling mutual recognition of tests across borders.

Key points about TIBER‑EU: It builds on the existing Red Team concept but injects live threat intelligence. According to experts, “DORA regulation was largely modeled after the existing TIBER framework”. The difference is mainly formality and scope: under TIBER, tests are strictly overseen by authorities and purple teaming is strongly recommended, whereas DORA later made purple teaming mandatory. In practice, TIBER‑EU tests typically last a few months: preparatory planning (weeks), followed by 6–8 weeks of active testing and reporting. Unlike a checklist pentest, TIBER‑EU aims for learning; stakeholders rarely know the attack in advance, so even a defender “win” (detecting the red team) is logged as valuable feedback.

DORA Requirements & TIBER in the Testing Framework

DORA specifically requires regular testing of cyber resilience. Article 26 of DORA mandates that financial entities conduct advanced threat-led penetration testing (TLPT) at least once every 3 years (more frequently for higher-risk entities). In addition, basic vulnerability scans must run weekly and traditional penetration tests yearly for critical systems. TIBER-EU tests fully qualify as TLPT under DORA: ECB guidance explicitly notes that following TIBER-EU “can assist ... in meeting the requirements for threat-led penetration tests under DORA”. Moreover, in 2024 DORA’s Regulatory Technical Standards on TLPT were finalized, and TIBER-EU was updated to mirror those standards (e.g. definitions, roles, timelines).

Practically, this means a bank can satisfy DORA’s TLPT obligation by running a TIBER-EU test according to the new framework. Conversely, competent authorities encourage all DORA-regulated entities to consider the TIBER approach for their advanced tests, since it is a recognized “gold standard” for cyber resilience testing. (One comment notes that the TIBER approach “exceeds traditional red teaming” by involving regulators and threat intelligence at every step.)

Importantly, DORA allows some flexibility on testing method: firms may use internal teams for TLPT, but only up to two out of every three testing cycles, and even then only if their threat intelligence was sourced externally. The rest of the time an independent red-team must be hired. In all cases, DORA insists that TLPT use up-to-date external threat intelligence – exactly as TIBER-EU requires.

Preparing for DORA and TIBER Compliance

Practical steps: Organizations should start by performing a comprehensive gap analysis. Map all critical functions to ICT systems, and inventory third-party providers. Then:

  • Strengthen ICT Governance: Build or refine a risk-management framework to align with DORA’s ICT requirements. Document policies, assign clear responsibilities, and routinely report status to senior management.
  • Manage Third‑Parties: Identify which service providers meet DORA’s “critical” criteria. Update vendor contracts with DORA‑compliant clauses (exit plans, security obligations, audit rights). Consider recruiting or appointing DORA‐facing compliance or risk leads.
  • Plan Resilience Testing: Draft a testing schedule satisfying DORA: e.g. weekly automated scans, annual pen tests, plus TLPT every 3 years. For TLPT, select qualified threat-intel and red-team vendors (due diligence is crucial). Engage regulators early: under TIBER-EU, tests are typically “nominated” by the national cyber team and are preceded by a formal scoping/memorandum of understanding. For multinational entities, leverage joint TIBER tests where available.
  • Conduct Threat Intelligence Gathering: Either internally or via third parties, gather relevant cyber threat intelligence on likely adversaries and attack vectors to inform both penetration tests and risk assessments. TIBER-EU even provides procurement guidance on selecting qualified threat-intel providers.
  • Run Tabletop/Purple Team Exercises: Before a full red-team, consider doing a tabletop crisis simulation or a purple team drill with IT/IR staff to build readiness. As Deloitte notes, TIBER-EU now mandates purple teaming to maximize learning. Training defenders on red-team findings in real-time helps closure of gaps.
  • Streamline Incident Reporting: Ensure the IT/security team understands DORA’s incident thresholds. Build an internal workflow to classify and escalate incidents quickly – DORA requires notification of a “major ICT incident” within hours.

From an organizational standpoint, project managers should coordinate between legal (for contracts), compliance, IT, and business units to integrate DORA/TIBER into ongoing risk programs. External advisers or consultants can help interpret the technical standards (especially for smaller firms). The deadline (Jan 2025) is looming, so many specialists recommend accelerating planning now. One consultancy put it plainly: “Since DORA becomes mandatory on January 17, 2025, financial sector organizations must act quickly to integrate these requirements into their security strategies”.

Risks and Benefits of TIBER Assessments

Benefits: Conducting TIBER-style tests yields clear resilience improvements. By simulating realistic threats, organizations expose hidden vulnerabilities in people, processes and technology before real attackers do. In short, it shifts cybersecurity from theoretical planning to practical validation. Other benefits include:

  • Unbiased Evaluation: Because external red teams (and regulators) are involved, the findings are more objective and credible. The outcome isn’t “pass/fail” but actionable gaps.
  • Learning & Preparedness: TIBER-EU explicitly emphasizes training defenders (purple teaming) as part of the process. This turns each test into a learning exercise, improving IR playbooks and detection tools.
  • Regulatory Alignment: Using TIBER-EU (or a similar TLPT) directly satisfies DORA’s toughest compliance item – so it kills two birds: meets regulator expectations and demonstrably improves readiness.
  • Stakeholder Confidence: Executives and board members can show auditors/regulators that they have “real‑world tested” their defenses. In sectors like finance where trust is paramount, this can be a competitive or reputational advantage.

Risks and Challenges: Of course, threat-led testing requires resources. Key considerations include:

  • Cost & Time: Full-scope TIBER tests are expensive (involving external experts and Intel) and time-consuming (months of work). Smaller firms may struggle with the investment.
  • Operational Disruption: Although controlled, there is a risk (mitigated by the TIBER control team) that a test could trigger alerts or impact services. Firms must carefully plan which systems to include.
  • Data/Privacy Concerns: Red teams may encounter sensitive data during tests. Strong non‑disclosure and data protection measures are needed. TIBER-EU mandates careful legal approvals for this reason.
  • Detection Uncertainty: If an organization’s blue team is too effective and catches the red team early, the scenario may shift on the fly. While this is a success point, it can complicate test execution and comparisons with other organizations.
  • Scope Misalignment: If threat intelligence is outdated or the test scope is too narrow, the exercise may miss real vulnerabilities. Indeed, experts warn that “TIBER-EU fails without real threat intelligence” – using stale intel would undercut the whole purpose.

Overall, most CISOs view TIBER‑style testing as a strategic investment. The downside (expenditure and effort) is generally outweighed by the upside of discovering weaknesses before attackers do. And critically, failure to test leaves organizations blind to gaps; given the multi‑billion dollar losses already seen in finance, proactive testing is often considered prudent risk management.

Figure: Illustrative cyber‑resilience maturity chart, comparing typical progress with (green) vs. without (gray) proactive threat‑led testing. In practice, organizations adopting frameworks like TIBER‑EU often achieve higher maturity and readiness (investment in cyber resilience is cumulative over time). By regularly “testing with real threats,” firms can climb maturity levels faster than those relying on routine audits alone. (Infographic elements photo credit: Pixabay)

In conclusion, DORA and TIBER‑EU are complementary pillars of EU cyber resilience for finance. DORA mandates that resilience and how often to test it, while TIBER‑EU provides how to test it thoroughly. Organizations that embrace both – strengthening ICT governance and performing threat‑led tests – will meet compliance and, more importantly, significantly bolster their defenses. As one expert put it, DORA essentially says “failing to prepare is preparing to fail”; using TIBER‑EU helps ensure preparation means true cyber‑resilience in practice.

Sources: Official EU guidance and regulatory texts; European Central Bank and ESMA publications; expert analysis from cybersecurity firms and consultancies; industry reports. These authoritative sources detail DORA’s scope and requirements, TIBER‑EU procedures, and the data behind cyber resilience efforts in finance.