Skip to content

Executive Summary

The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) Framework enables European and national authorities to work with financial infrastructures and institutions (hereinafter referred to collectively as “entities”1 ) to put in place a programme to test and improve their resilience against sophisticated cyber attacks.

The ECB published the TIBER-EU Framework (TIBER-EU Framework: How to Implement the European Framework for Threat Intelligence-based Ethical Red Teaming)2 and TIBER-EU Services Procurement Guidelines3 , respectively. This TIBER-EU White Team Guidance (“Guidance”) is referred to in, and is an integral part of, the TIBER-EU Framework.

TIBER-EU is an instrument for red team testing, designed for use by core financial infrastructures, whether at national or at European level, which can also be used by any type or size of entity across the financial and other sectors. At the same time, TIBER-EU is designed to be adopted by the relevant authorities in any jurisdiction, on a voluntary basis and from a variety of perspectives, namely as a supervisory or oversight tool, for financial stability purposes, or as a catalyst.

TIBER-EU facilitates red team testing for entities which are active in more than one jurisdiction and fall within the regulatory remit of several authorities. TIBER-EU provides the elements allowing either collaborative cross-authority testing or mutual recognition by relevant authorities on the basis of different sets of requirements being met.

When an authority adopts TIBER-EU, tests will only be considered TIBER-EU tests when they are conducted in accordance with the TIBER-EU Framework, including the TIBER-EU Services Procurement Guidelines and the TIBER-EU White Team Guidance.

The team that manages the test, in accordance with the TIBER-EU Framework, within the entity that is being tested, is called the White Team. The purpose of this document is to provide further guidance about the roles and responsibilities of the White Team.

What is TIBER-EU?

TIBER-EU is a framework that delivers a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. Intelligence-led red team tests mimic the tactics, techniques and procedures of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to those entities.An intelligence-led red team test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities.

What is the White Team?

The White Team is the team – within the entity being tested – that is responsible for the overall planning and management of the test, in accordance with the TIBER-EU Framework. The members of the White Team are the only people within the entity being tested that know that a TIBER-EU test is taking place. The White Team must ensure that the TIBER-EU test is conducted in a controlled manner, with appropriate risk management controls in place, while maximising the learning experience for the entity. For this the White Team must closely cooperate with the TIBER Cyber Team (TCT)4 from the respective authority.

What is the TIBER-EU White Team Guidance?

The Guidance is divided into four parts:

  • the roles and responsibilities of the White Team during the preparation, testing and closure phases of a TIBER-EU test;
  • the composition of the White Team;
  • the requisite skills and experience of the White Team;
  • the organisational aspects of the White Team.

The White Team Guidance is an integral part of the TIBER-EU Framework. Further details on the TIBER-EU Framework can be found in the document “TIBER-EU Framework: How to implement the TIBER-EU Framework”. Any further enquiries about TIBER-EU should be sent to TIBER-EU@ecb.europa.eu.

  1. For the purposes of the TIBER-EU Framework, “entities” means: payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector. 

  2. TIBER-EU FRAMEWORK. 

  3. TIBER-EU Services Procurement Guidelines. 

  4. The TCT is the team at the authority that: (i) facilitates the TIBER-E U t es ts ac ros s the sector; (ii) provides support and specialist knowledge to White Team Leads (WTLs, responsible for the entity’s test management); (iii) acts as the contact point for all external enquiries; and (iv) supports the overseers and supervisors during and/or after the tests (if the overseers and supervisors are not included in the TCT). For a comprehensive description see the TIBER-EU Framework.