The European Central Bank has published a paper outlining how the European framework for threat intelligence-based ethical red teaming, the TIBER-EU framework, can help competent authorities and financial entities fulfil their threat-led penetration testing requirements under the EU Digital Operational Resilience Act. TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of financial entities' critical live production systems. It was established as a tool for testing and improving key elements of the cyber resilience of participating financial entities, while focusing heavily on the learning opportunities provided by the testing. The ECB suggests that guiding and performing threat-led penetration testing on the basis of the DORA regulatory technical standards alone will be challenging given the high standards required by such tests but that TIBER-EU will alleviate these difficulties to a large extent and provides a framework that can be used to fulfil the DORA threat-led penetration testing requirements. The paper considers the benefits of the TIBER-EU framework for authorities and financial entities subject to DORA.
[View source.]
