Threat Intelligence-Based Ethical Red Teaming in Austria (TIBER-AT)

Combating cybersecurity risks through threat-led penetration testing

For financial institutions, defending against cyberattacks and handling cybersecurity risks is a crucial part of managing risk.

Across the EU, the requirements for managing cybersecurity risks in the financial sector have been harmonised in the Digital Operational Resilience Act (DORA), which entered into force in early January 2023. From early 2025, financial institutions will be required to observe DORA requirements. This includes the requirement to undertake threat-led penetration testing (TLPT) for managing risks and combatting cybersecurity risks.

The methodology to be applied for DORA-related TLPT tests in Austria is in line with the TIBER-EU framework.

TIBER-EU – a harmonised EU framework for threat-led penetration testing

TIBER-EU is a TLPT framework developed by the European System of Central Banks (ESCB). TIBER stands for “threat intelligence-based ethical red teaming” and focuses on the simulation of real-life cyberattacks.

The TIBER framework provides requirements and cooperation guidelines for authorities, financial institutions and cyberattack specialists with a view to testing and enhancing the cyber resilience of financial institutions through controlled cyberattacks.

TIBER-EU provides for the simulation of real-life attacks of the critical production systems of financial institutions. Therefore, the tests are conducted under strict security provisions. It is up to the tested financial institutions to undertake all necessary measures to ensure that the tests will not create any risks, neither for themselves nor for their customers and clients.

TIBER-AT – Austria’s national implementation of TIBER-EU

TIBER-AT provides for the national implementation of the TIBER-EU framework in Austria. The national “TIBER-AT Implementation Guide” defines the key elements of TIBER-AT tests and outlines national specifics of implementing TIBER-EU in Austria. This makes it possible to conduct TLPT tests of financial institutions using standardized TIBER-EU procedures.

The TIBER-AT Implementation Guide already broadly reflects the TLPT -related DORA requirements. The TIBER-AT Implementation Guide will be updated towards the end of 2024 to ensure full alignment with the regulatory technical standards for TLPT , which are expected to be published by the European Supervisory Authorities in mid-2024 in accordance with Article 26 (11) of Regulation (EU) 2022/2554.

The TIBER Cyber Team at the Oesterreichische Nationalbank (OeNB) is responsible for implementing TIBER-EU in Austria and accompanies all TIBER-AT tests in cooperation with the FMA. Financial institutions interested in conducting a TIBER-AT test should approach the OeNB’s TIBER Cyber Team.

Furthermore, the OeNB’s TIBER Cyber Team is responsible for drafting and developing the TIBER-AT Implementation Guide, and is a member of the ESCB TIBER-EU Knowledge Centre, which drafts and develops the European framework at the EU level.

Further Information