TIBER-AT

Threat Intelligence-Based Ethical Red Teaming in Austria

Combating cybersecurity risks through threat-led penetration testing

For financial institutions, defending against cyberattacks and handling cybersecurity risks is a crucial part of managing risk.

Across the EU, the requirements for managing cybersecurity risks in the financial sector have been harmonized in the Digital Operational Resilience Act (DORA), which entered into force in early January 2023. From early 2025, financial institutions will be required to comply with DORA requirements. This includes the requirement to undertake threat-led penetration testing (TLPT) for managing risks and combating cybersecurity risks.

The methodology to be applied for DORA-related TLPT tests in Austria is in line with the TIBER-EU framework.

TIBER-EU – a harmonized EU framework for threat-led penetration testing

TIBER-EU is a TLPT framework developed by the European System of Central Banks (ESCB). TIBER stands for “Threat Intelligence-based Ethical Red Teaming” and focuses on the simulation of real-life cyberattacks.

The TIBER framework provides requirements and cooperation guidelines for authorities, financial institutions and cyberattack specialists with a view to testing and enhancing the cyber resilience of financial institutions through controlled cyberattacks.

TIBER-EU provides for the simulation of real-life attacks of the critical production systems of financial institutions. Therefore, the tests are conducted under strict security provisions. It is up to the tested financial institutions to undertake all necessary measures to ensure that the tests will not create any risks, neither for themselves nor for their customers and clients.

TIBER-AT – Austria’s national implementation of TIBER-EU

TIBER-AT provides for the national implementation of the TIBER-EU framework in Austria. The national “TIBER-AT Implementation Guide” defines the key elements of TIBER-AT tests and outlines national specifics of implementing TIBER-EU in Austria. This makes it possible to conduct TLPT tests of financial institutions using standardized TIBER-EU procedures.

The TIBER-AT Implementation Guide already broadly reflects the TLPT-related DORA requirements. It also includes further relevant specifications, such as the regulatory technical standards for TLPT, published by the European Commission.

The TIBER Cyber Team at the OeNB is responsible for implementing TIBER-EU in Austria and accompanies all TIBER-AT tests in cooperation with the Financial Market Authority (FMA). Financial institutions interested in conducting a TIBER-AT test should approach the OeNB’s TIBER Cyber Team.

Furthermore, the OeNB’s TIBER Cyber Team is responsible for drafting and developing the TIBER-AT Implementation Guide, and is a member of the ESCB TIBER-EU Knowledge Centre, which drafts and develops the European framework at the EU level.