DORA and TIBER-EU Updates: Cyber Resilience and TLPT Requirements for 2025
DORA aligns with TIBER-EU to enforce threat-led penetration testing (TLPT) by 2025, enhancing cyber resilience and operational security for financial institutions across the EU.
The Digital Operational Resilience Act (DORA) and the TIBER-EU framework are two essential initiatives designed to bolster the cyber resilience of financial institutions across the European Union. Both frameworks ensure that financial entities are prepared to manage, mitigate, and recover from potential cyberattacks, as well as address broader operational risks targeting their Information and Communications Technology (ICT) infrastructures. By setting rigorous standards for testing and compliance, DORA and TIBER-EU contribute significantly to the security and stability of the financial sector.
Source
[1]
[2]
Digital Operational Resilience Act (DORA): Comprehensive Cyber Resilience Framework
The Digital Operational Resilience Act (DORA) was introduced under Regulation (EU) 2022/2554 and serves as the primary legislative tool within the EU for enhancing the cybersecurity defenses of financial entities. DORA addresses various facets of operational risk, including threat identification, incident reporting, risk management, and third-party risk management. It also lays down detailed requirements for testing ICT systems to ensure they remain resilient against evolving cyber threats.
Set to be fully implemented by January 17, 2025, DORA applies to a wide range of financial entities, including banks, payment institutions, investment firms, crypto-asset service providers, and crowdfunding platforms. One of its key provisions is the requirement for financial entities to conduct threat-led penetration testing (TLPT) on their live production systems. TLPT is a crucial tool for identifying system vulnerabilities that could compromise the integrity of essential financial services.
Moreover, the regulatory technical standards (RTS) that will define the specifics of TLPT under DORA are currently being developed by European Supervisory Authorities and will be finalized by July 17, 2024. These standards are designed to remain flexible and adaptive, ensuring that DORA stays relevant amid technological advancements, such as the growing use of artificial intelligence (AI) in cybersecurity.
TIBER-EU: Threat Intelligence-Based Ethical Red Teaming Framework
The TIBER-EU framework, also known as Threat Intelligence-Based Ethical Red Teaming, is a well-established testing framework that enhances the cyber resilience of financial institutions through simulated, controlled cyberattacks. TIBER-EU has been adopted by 16 countries across Europe and has been pivotal in strengthening the operational resilience of participating financial entities.
One unique aspect of TIBER-EU is that it focuses heavily on learning from simulated cyberattacks. In a typical TIBER-EU test, red teams simulate attacks while blue teams defend without prior knowledge of the test. This live simulation allows organizations to test their defensive measures in a real-time, controlled environment, providing them with actionable insights into their vulnerabilities.
TIBER-EU is flexible in its implementation, allowing national regulators to adopt the framework and tailor it to local conditions, such as the specific cyber threats faced by different countries. While national implementations, like TIBER-NL for the Netherlands and TIBER-DE for Germany, may have some unique elements, the core components of TIBER-EU are consistent across borders. This consistency ensures that the results of these tests are comparable across jurisdictions, fostering cross-border collaboration in cybersecurity.
DORA and TIBER-EU: Complementary Frameworks for TLPT
Although DORA and TIBER-EU are aligned in their objectives, there are notable differences between the two frameworks. DORA explicitly calls for TLPT to be conducted in accordance with the TIBER-EU framework, ensuring that financial entities adhering to TIBER-EU will automatically comply with DORA’s TLPT requirements. However, there are some distinctions between how each framework approaches TLPT:
- Internal Testers: TIBER-EU generally does not permit internal testers to perform red teaming tasks, as it aims to ensure the objectivity of tests by relying solely on external experts. However, DORA allows internal testers, provided they meet specific criteria and receive approval from supervisory authorities. Nonetheless, DORA mandates that one out of every three tests must be conducted by external testers to maintain impartiality.
- Purple Teaming: In TIBER-EU, purple teaming—where red and blue teams collaborate to share insights during or after tests—is an optional element. In contrast, DORA mandates the inclusion of purple teaming as part of the TLPT process. This approach, supported by DORA, acknowledges the positive outcomes that arise from collaboration between offensive (red) and defensive (blue) teams.
- Testing Frequency: While TIBER-EU does not prescribe a specific frequency for TLPT, DORA requires larger financial entities to conduct TLPT at least every three years. Competent authorities, however, have the discretion to adjust the frequency based on the risk profile of the institution.
- Active Red Teaming Period: Under TIBER-EU, red team testing typically occurs over a 10- to 12-week period. However, DORA stipulates that this phase should last for a minimum of 12 weeks, reinforcing the comprehensive nature of these tests.
The Role of Artificial Intelligence in TLPT
The rise of artificial intelligence (AI) is poised to have a profound impact on the future of TLPT under DORA. Increasingly, financial institutions are adopting AI tools to enhance their cybersecurity capabilities, including the ability to detect and respond to cyber threats in real time. Generative AI, for instance, can help automate some of the functions traditionally performed by human-led red teams during TLPT.
However, the integration of AI raises new challenges for DORA compliance. For example, there is a growing need for ensuring human oversight of AI-based testing processes, particularly to achieve explainability—the ability to understand and justify the decisions made by AI systems. Furthermore, under the EU’s AI Act (Regulation (EU) 2024/1689), certain AI systems used in critical sectors like cybersecurity are classified as high-risk and must comply with stringent regulations. If AI tools are classified as high-risk in the context of TLPT, they will be subject to additional transparency and oversight requirements.
Given these challenges, DORA’s regulatory technical standards will need to be sufficiently flexible to accommodate the growing use of AI in TLPT. This will ensure that the integration of AI into cybersecurity testing not only enhances efficiency but also maintains the rigor and oversight required for effective cybersecurity measures.
Key Benefits of Adopting TIBER-EU for DORA Compliance
Adopting the TIBER-EU framework offers significant advantages to financial entities and competent authorities seeking to comply with the Digital Operational Resilience Act (DORA):
- Extensive Guidance: TIBER-EU provides detailed, step-by-step guidance for conducting TLPT, including scoping, generating threat intelligence, performing tests, and reporting. This guidance is essential for helping entities navigate the complex requirements of DORA while ensuring comprehensive testing of their ICT systems.
- Wealth of Experience and Best Practices: The collective experience of the TIBER-EU community, which includes national authorities and financial institutions across Europe, has led to the development of best practices that continue to evolve. These practices, shared among participants, allow for continuous improvement and adaptation to new threats.
- Flexibility and Customization: While TIBER-EU has core mandatory elements, it also offers flexibility that allows national authorities to tailor the framework to their specific needs. This adaptability is especially valuable in ensuring compliance with DORA while taking into account local conditions and requirements.
- Mutual Recognition of Test Results: One of the major benefits of TIBER-EU is that it allows for the mutual recognition of test results across EU jurisdictions. This is particularly important for multinational financial institutions, as it simplifies the process of complying with DORA across different countries.
- Cost-Efficiency: By adopting TIBER-EU, financial institutions can leverage an existing, proven framework, reducing the time and resources needed to develop their own testing methodologies. This helps entities remain focused on their core activities while ensuring compliance with DORA.
TIBER-EU Knowledge Centre and Community
The TIBER-EU Knowledge Centre (TKC) plays an essential role in the success of the TIBER-EU framework. The TKC is a collaborative forum where national authorities and financial institutions share insights, best practices, and lessons learned from their TLPT experiences. Through regular training sessions and guidance documents, the TKC ensures that the TIBER-EU framework remains up-to-date with the latest developments in cybersecurity testing.
The collaborative nature of the TKC also fosters a culture of continuous improvement within the TIBER-EU community. By sharing knowledge across borders, the TKC strengthens cybersecurity resilience throughout the European financial sector, making it easier for authorities and financial entities to comply with DORA.
TIBER-EU as a Pathway to DORA Compliance
The Digital Operational Resilience Act (DORA) and the TIBER-EU framework together provide a comprehensive, robust approach to cybersecurity testing for financial entities across the European Union. While DORA establishes the regulatory foundation, TIBER-EU offers the practical tools and methodologies needed to ensure compliance with the TLPT requirements.
By adopting the TIBER-EU framework, financial institutions can achieve compliance with DORA while benefiting from an established, proven system that promotes cybersecurity resilience. The collaboration facilitated by the TIBER-EU Knowledge Centre ensures that the financial sector continues to evolve and adapt in response to emerging cyber threats, securing the sector's long-term stability and resilience in the face of future challenges.