Skip to content

Adoption and implementation of TIBER-EU

Implementation of the TIBER-EU framework

For the implementation of the TIBER-EU framework, certain overarching governance structures and processes must be put in place, adopted at either national or European level and followed to ensure that the framework can be implemented effectively across the EU.

Authorities involved

The adoption of the TIBER-EU framework by authorities and jurisdictions is voluntary. At the inception, authorities wishing to implement a TIBER-EU framework in their jurisdictions are encouraged to liaise with all relevant authorities in the financial sector. These may include:

  • central banks;
  • supervisory authorities;
  • intelligence agencies;
  • relevant ministries.

The TIBER-EU framework may be adopted at a national level, or by EU institutions and authorities. However, national or European implementation of TIBER-EU need not be limited to the financial sector alone. Should a jurisdiction wish to involve other sectors (such as telecommunications or utility companies), the TIBER-EU framework does not prevent it from doing so. As such, the framework is entity-agnostic and sector-agnostic.

The various authorities should discuss the potential adoption of the framework, how it should be set up, the entities that it will apply to, the timelines, and the general organisation and resources required to implement the framework.

Mandate and adoption

If a jurisdiction decides to adopt the TIBER-EU framework, its national implementation must be formally adopted by the Board of an authority, ideally the central bank of the European System of Central Banks (ESCB). The TIBER-EU Knowledge Centre (described in more detail in Section 3.8) must be officially informed that a national or European implementation of TIBER-EU has been launched.

Adoption of the TIBER-EU framework can be driven in collaboration with market participants to serve as a catalyst. The framework may also be adopted for the purposes of financial stability. Alternatively, it may be adopted as an oversight and/or supervisory requirement.

In these cases, the implementation of the TIBER-EU framework must be in accordance with the mandatory requirements, as set out in Annex I.

Establishment of TIBER-EU

Preferably, one of the relevant authorities should take ownership of the national or European TIBER-EU implementation. This authority develops the national (TIBER- XX) or European (TIBER-EU YY) Implementation Guide, organises the programme, liaises with the other authorities and coordinates the joint work. One of the relevant authority’s board members should take ownership of this programme of activities.

For each implementation, the relevant authorities should work together to reach agreement on the form that the national framework will take and how it will be implemented in their jurisdictions. Each implementation of TIBER-EU must ensure that all the core foundational concepts and approaches are adopted and implemented; however, each jurisdiction is free to adopt and implement further optional elements at its own discretion.

The authority that owns the TIBER-XX framework within its jurisdiction must publish on its website the official TIBER-XX Implementation Guide applicable to its jurisdiction and take measures to explain the adoption of the framework to the relevant market participants.

During the process of establishing the national or European implementation of TIBER-EU, authorities should conduct a review of existing laws and regulations at a national and European level to ensure that the framework, methodologies and processes do not contravene any law and the implementation of the framework remains legally compliant.

Furthermore, it is the responsibility of the entities, TI providers and RT providers to ensure that they conduct tests within the remit of all laws and regulations, and appropriate risk management controls (e.g. contracts) are in place to enforce this.

During the TIBER-EU process, there are a number of activities that may be performed to fully replicate a real-life attack. Such activities require due consideration and evaluation in the context of existing laws and regulations, and may include the following:

  • gathering open-source intelligence (OSINT) data on the target entity (publicly available information);
  • gathering OSINT data on the entity’s suppliers (publicly available information);
  • gathering data from other intelligence sources (e.g. government sharing platforms, etc.) relating to the target entity;
  • gathering any data on the entity, its suppliers, its employees and/or its customers found on the dark web;
  • deployment of people into the entity under various guises to gather intelligence;
  • using targeting data gathered in the threat intelligence phase to create email, telephone and in-person ruses as part of a scenario;
  • gathering data on employees and customers of the entity;
  • gathering account and password data from employees and service providers of the target entity.

The above are suggested activities to consider, but the list is not exhaustive. Authorities should ensure that a thorough legal analysis is carried out, using appropriate legal expertise, to determine the legal constraints when performing the test. These should be clearly set out in the documentation at national and European level.

Simultaneously, all entities, TI providers and RT providers should consider and act in accordance with the legal constraints of each jurisdiction.

The above activities will be performed under a contractual agreement with the full consent of the respective entity. This will mitigate beforehand many of the legal concerns which may potentially arise.

Governance by authorities

For each national and European implementation of the TIBER-EU framework, the relevant authorities should establish the appropriate governance structures and allocate resources to:

  • ensure that the framework is formally owned by senior personnel;
  • manage, operationalise and monitor its implementation by staff with the requisite skills;
  • continuously update the framework in the light of lessons learned from its implementation, and in collaboration with other authorities via the TIBER-EU Knowledge Centre.

The TIBER Cyber Team

The authorities who decide to be involved in an implementation of TIBER-EU should set up a centralised TIBER Cyber Team (TCT) that brings together their TIBER knowledge and capabilities at national or European level. The TCT facilitates the different TIBER-XX/TIBER-EU YY tests across the sector, provides support and specialist knowledge to White Team Leads (WTLs, responsible for the entity’s test management), acts as the contact point for all external enquiries and supports the overseers and supervisors during and/or after the tests (if the overseers and supervisors are not included in the TCT).

The TCT is also responsible for maintaining the national and European TIBER Implementation Guide and for developing it further according to national or European needs. In addition, national and European TCTs may liaise with other TCTs in other TIBER jurisdictions.

There are various ways in which the TCT could be set up, ranging from one authority alone (acting as a central point from which experts are sent to support overseers and supervisors) to a centralised team consisting of experts from all relevant authorities (including overseers and supervisors), with a clear anchor at one of the authorities. Most importantly, the TCT is one of the crucial operational controls in performing a test on critical live production systems and helps ensure a uniform, high-quality test containing all the mandatory elements.

When setting up the TCT, each jurisdiction should carefully consider the resources required, based on the number of entities that will be subject to testing, and ensure that staff on the TCT are appropriately skilled in project management and have the requisite knowledge on cyber security and the entities being tested.

During a TIBER-EU test, the TCT holds the right to invalidate a test for TIBER recognition if it suspects that the entity is not conducting the test in the right spirit and in accordance with the requirements of the TIBER-EU framework.

TIBER-EU Knowledge Centre

A centralised TIBER-EU Knowledge Centre (TKC), hosted by the ECB1 , will be set up to enhance further collaboration among the national and European TCTs so that they can benefit from multiple potential implementations of the TIBER-EU framework. The core objectives of the TKC will be to:

  • facilitate knowledge exchange and foster collaboration among national and European TCTs;

  • support national and European implementations and provide a central depository of materials for jurisdictions;

  • provide authorities with training on the development, implementation and management of the TIBER-EU framework;

  • monitor the national and European implementations (thereby ensuring legitimacy of mutual recognition), collect feedback, reflect on lessons learned, disseminate information to national jurisdictions as appropriate, and maintain and continually develop the TIBER-EU framework;
  • promote information sharing, mutual collaboration and other actions to enhance overall cyber resilience within the EU;
  • liaise with other authorities using intelligence-led red team testing in order to promote international uniformity and quality;
  • provide feedback to the sector within the relevant fora (e.g. Euro Cyber Resilience Board for pan-European Financial Infrastructures), where necessary and appropriate.

Identification of entities and relevant authorities

Participation of the entities in the TIBER-EU scheme may be either voluntary or mandatory; this is left to the discretion of the relevant national or European authorities. As a rule, the lead authority should initiate and oversee the conduct of TIBER-EU tests on entities under its responsibility.

For the purposes of the TIBER-EU framework, a lead authority means: “the authority with the primary responsibility for overseeing and supervising a relevant entity”.

Following the adoption of the TIBER-EU framework at a national or European level, each lead authority should decide which entities should be invited to undertake, or must undertake, a TIBER-EU test, and by when. Entities differ in size, complexity and reach. Therefore, authorities should look to include entities which are important to the financial stability of the jurisdiction because of the critical functions (CFs) they perform. That said, the TIBER-EU framework can be applied to all types and sizes of entities.

Cross-jurisdictional activities

Within the EU, several entities may operate their business across borders, with a presence in multiple jurisdictions. In such circumstances, each lead authority will need to determine and agree which other “relevant authorities” are potential key stakeholders for the given entity.

In cases where an entity is active in more than one jurisdiction, the TIBER-EU framework permits the relevant authorities to take one or both of the following approaches to cross-jurisdictional activities.

  • Relevant authorities should, ideally, work together in a collaborative manner under the direction of the lead authority.
  • A test managed by one of the relevant authorities (ideally, the lead authority of the entity) should be conducted in accordance with the core requirements of the TIBER-EU framework in order to be mutually recognised and to provide assurance to the relevant authorities in other jurisdictions. In such cases, there must be mutual agreement, right from the outset, on the identity of the other relevant authorities.

The lead authority should consider a number of elements when determining the identity of the other relevant authorities. Elements to be considered include:

  • the geographical location of the entity;
  • the organisational and legal structure of the entity (e.g. group structure);
  • the geographical location of the underlying critical service provider (which may be within the scope of the testing activities) and its lead authority;
  • the oversight and/or supervisory arrangements for the entity (e.g. cooperative oversight arrangements, joint supervisory teams, etc.).

In some circumstances, there may be an authority that is implementing the framework at national level (TIBER-XX) and is seeking to conduct a test on a cross- border entity whose lead authority has not yet implemented the TIBER-EU framework at national level, or intends to implement it in the future. In such circumstances, the relevant authority should contact the lead authority and discuss how the test should be conducted under its TIBER-XX implementation. Collaboration in these situations is beneficial, as it allows the entity in question to conduct the test within a recognised framework, involving all relevant authorities, and with full scope. In addition, such collaboration avoids delays in the testing process.

The process for identifying and engaging with other relevant authorities can also be an iterative process. For example, during the scoping process the different stakeholders may deduce that a CF is located in another jurisdiction. In these circumstances, it may then be necessary to contact and liaise with other relevant authorities before commencing any activity.

Overall, the key to facilitating cross-border testing is mutual trust between lead authorities, other relevant authorities and the entities. In all cases, the stakeholders should use sound judgement, foster a spirit of collaboration, and show a willingness to find a workable process that allows effective testing to be conducted with the right scope.

To illustrate the principles described above, an example is given in Figure 2 below. The entity X has its head office in Germany and is subject to oversight/supervision by a German authority as the lead authority. However, the entity is also present in the Netherlands and Belgium and is systemically important to all three jurisdictions.

Example of an entity’s European presence

Example of an entity’s European presence

In this case, the German authority may deem entity X to be important and seek to include it within the scope of its testing regime. The German authority should consider which other relevant authorities may have an interest in the testing of the entity, and reach out to the relevant TCT. Equally, the other relevant authorities (in this case Belgium and Netherlands), may consider entity X to be important for its jurisdictions, and approach the German authority to initiate a test.

The TCT responsible for TIBER-DE would liaise in this case with the TCTs responsible for TIBER-NL and TIBER-BE. In such a scenario, the three authorities might consider collaborating on a joint test on entity X, where members of the German, Dutch and Belgian TCTs work together throughout the test; or the authorities in the Netherlands and Belgium might decide to rely solely on the German-led test and seek assurance from this process, as long as the core elements of the TIBER-EU framework were followed.

Mutual recognition

In the highly interconnected European financial system, it is likely that numerous authorities will require assurance on the cyber resilience of a single entity. TIBER-EU provides an efficient solution to this problem by ensuring mutual recognition of TIBER tests, provided that these comply with all mandatory requirements of the TIBER-EU framework.

A precondition for mutual recognition is that each test must comply with all the mandatory requirements of the TIBER-EU framework, which are set out in Annex I. At the end of each test, the board of the entity, the TI provider and the RT provider should sign an attestation confirming that the test was conducted in accordance with the mandatory requirements of the TIBER-EU framework. T his will provide the legitimacy for mutual recognition. Furthermore, the lead authority should confirm to other relevant authorities that it oversaw the test conducted. If the lead authority considers that the conduct of the test was not in line with the requirements and spirit of the TIBER-EU framework and the national or European Implementation Guide, it has the right to invalidate the test for TIBER-EU recognition and mutual recognition.

As noted above, for some entities, the test might be managed by a small number of authorities together. However, in some cases, the entity might be a more complex group structure with multiple subsidiaries or branches, and so there might be a significant number of relevant authorities. In these circumstances, managing a large- scale test, with so many relevant stakeholders, might be inefficient and counter- productive. Consequently, the onus should be on the lead authority, entity and other relevant authorities (who seek assurance through a mutually recognised test) to negotiate the safe sharing of the results ex post.

External testing

Although several entities already conduct red team testing with dedicated internal red teams, authorities will only recognise a TIBER-EU test if it is conducted by independent third-party providers (i.e. external TI and RT providers).

Although the practice of internal red teams is encouraged, and entities should look to develop this capability, there are clear advantages to procuring an external party to conduct a TIBER-EU test. Most notably, an external tester provides a fresh and independent perspective, which may not always be feasible with internal teams that have grown accustomed to the internal systems, people and processes. Furthermore, external providers might have more resources and up-to-date skills to deploy, which would add value to the entity.

With this in mind, given the resources required and costs incurred, entities are not expected to conduct a TIBER-EU test too frequently.

  1. In close cooperation with the national central banks of the European System of Central Banks (ESCB).