TIBER-EU Framework for Threat Intelligence-Based Ethical Red Teaming
ECB framework for threat intelligence-based ethical red teaming of financial entities across the EU. Defines a structured approach covering generic threat landscape, targeted threat intelligence, red team testing on live production systems, and 360-degree closure. Adopted by 15+ EU member states with cross-border mutual recognition. Complementary to DORA Article 26 TLPT requirements.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| TIBER.BT | Blue Team Response — Real-time detection assessment, incident response evaluation, and escalation procedures | |
| TIBER.CLOSE | Closure Phase — 360-degree feedback, red team report, threat intelligence report, and remediation plan | |
| TIBER.CONF | Confidentiality and Risk Management — Test risk mitigation, operational safeguards, and data protection | |
| TIBER.GTL | Generic Threat Landscape — Sector-wide threat landscape report and macro-level threat assessment | |
| TIBER.PREP | Preparation Phase — Scope definition, entity engagement, regulatory coordination, and white team formation | |
| TIBER.PROV | Provider Requirements — Threat intelligence provider and red team provider qualification standards | |
| TIBER.REM | Remediation and Follow-Up — Remediation tracking, control improvement validation, and attestation | |
| TIBER.RT | Red Team Testing — Controlled adversary simulation, multi-phase attack execution, and live production testing | |
| TIBER.TTI | Targeted Threat Intelligence — Entity-specific threat intelligence, attack scenario development, and flag planting | |
| TIBER.XB | Cross-Border Coordination — Mutual recognition, multi-authority testing, and joint assessments |