On 21 November 2025, the European Central Bank (ECB) issued a guide that sets out how it adopts and implements the TIBER-EU framework for the threat-led penetration testing (TLPT) of significant institutions as identified for TLPT according to the Digital Operational Resilience Act (DORA).

Background

Under Articles 26 and 27 of DORA, financial entities must carry out, at least every three years, advanced operational resilience testing by means of TLPT. The ECB is the competent authority and TLPT authority (TLPTA) for significant institutions under Articles 26 and 46 of DORA and is thus ultimately responsible for the operationalisation of TLPT. To help significant institutions fulfil the DORA TLPT requirements, the ECB has decided to adopt the Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU). The TIBER-EU framework enables European and national authorities to perform TLPT for financial entities within their remit in order to further strengthen these entities’ resilience to sophisticated cyberattacks.

Guide

The guide describes how the TIBER-EU framework is adopted and implemented by the ECB for the mandatory DORA TLPT of significant institutions as identified by the ECB. It provides guidance to significant institutions and all relevant stakeholders on the approach to be taken when carrying out the TLPT in practice, with the aim of helping fulfil the requirements under DORA and the regulatory technical standards on TLPT (Commission Delegated Regulation (EU) 2025/1190), while at the same time offering flexibility to adapt each test to the specific characteristics of the individual significant institution.

Next steps

The ECB will inform the relevant significant institutions that they have been identified as subject to mandatory TLPT. It will require each of the identified significant institutions to appoint a single point of contact for each test to ensure secrecy.