Skip to content

Executive summary

The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) Framework enables European and national authorities to work with financial infrastructures and institutions (hereafter referred to collectively as “entities”1 ) to put in place a programme to test and improve their resilience against sophisticated cyber attacks.

The ECB published the TIBER-EU Framework (TIBER-EU Framework: How to Implement the European Framework for Threat Intelligence-based Ethical Red Teaming) in May 2018. The present Services Procurement Guidelines (“Guidelines”) are referred to in, and are an integral part of, the TIBER-EU Framework. They set out in detail the different elements of TIBER-EU procurement. TIBER-EU is an instrument for red team (RT) testing, designed for use by core financial infrastructures, whether at national or at European level, which can also be used by any type or size of entity across the financial and other sectors. At the same time, TIBER-EU is designed to be adopted by the relevant authorities in any jurisdiction, on a voluntary basis and from a variety of perspectives, namely as a supervisory or oversight tool, for financial stability purposes, or as a catalyst. When an authority adopts TIBER-EU, tests will only be considered TIBER-EU tests when they are conducted in accordance with TIBER-EU including these Guidelines.

TIBER-EU facilitates RT testing for entities which are active in more than one jurisdiction and fall within the regulatory remit of several authorities. TIBER-EU provides the elements allowing either collaborative cross-authority testing or mutual recognition by relevant authorities on the basis of different sets of requirements being met.

Due to the inherent risks associated with RT testing, also present in TIBER-EU tests, TIBER-EU includes as a key element for risk management the use of the most competent, qualified and skilled threat intelligence (TI) and RT providers with the necessary experience to conduct RT tests. Consequently, prior to engagement with potential TI and RT providers with a view to performing a TIBER-EU test, the relevant entity has to take into account the requirements of the Guidelines and in particular those regarding such providers. These requirements are deliberately stringent to mitigate risks including those related to RT tests being conducted by inexperienced personnel, which could have an adverse impact on the relevant entity.

What is TIBER-EU?

TIBER-EU is a framework that delivers a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. Intelligence-led red team tests mimic the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to these entities. An intelligence-led red team test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions (CFs) and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities.

What are the risks of the TIBER-EU test?

There are inherent elements of risk associated with a TIBER-EU test for all parties due to the criticality of the live production systems, people and processes involved in the tests. The possibility of causing a denial-of-service incident, an unexpected system crash, damage to critical live production systems, or the loss, modification or disclosure of data, highlights the need for active and robust risk management. In line with the potential risk of the test, the TIBER-EU Framework gives a high priority to establishing robust risk management controls throughout the entire process of the test to ensure it is conducted in a controlled manner.

To ensure a controlled and safe test, one prescribed control is the use of specialist external threat intelligence (TI) and red team (RT) providers, which have the highest level of skills and expertise, and have the requisite experience in threat intelligence and red team testing in the financial services industry to be able to deliver effective and cutting-edge professional services. External providers provide a fresh and independent perspective and are likely to have more resources and up-to-date skills to deploy, which would add value to the entity.

What are the Services Procurement Guidelines?

The Guidelines set out in detail the different elements of TIBER-EU procurement. They are an integral part of the TIBER-EU Framework. The Guidelines are divided into three parts. They:

  • set out the requirements and standards that must be met by TI and RT providers to deliver recognised TIBER-EU tests;
  • offer guiding principles and selection criteria for entities, as they look to procure services from prospective providers; and
  • provide questions and agreement checklists that could be used when entities undertake their due diligence and look to formalise the procurement process with the TI/RT providers.

As entities go through the procurement process, they are encouraged to seek further clarification of the selection criteria, TI and RT provider requirements and any other aspects related to the conduct of a TIBER-EU test. During the procurement process, entities are also encouraged to engage in constructive dialogue with potential TI/RT providers, allowing the entities to gain a deeper understanding of the TI/RT providers’ capabilities.

  1. For the purposes of the TIBER-EU Framework, “entities” means: payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector.