European Central Bank announced a framework for cyber attack simulation on financial firms

Last week, the European Central Bank has published the European framework for testing financial sector resilience to cyber attacks.

The framework aims to simulate the effects of cyber attacks on critical systems in the banking industry in the European Union.

The move is the response to the numerous cyberheists that hit the financial industry in the past years, like the attacks against the SWIFT system and the assault against online and mobile services at the Netherlands’ three top banks.

The framework also includes the involvement of “red teams” for vulnerability assessments and penetration tests of systems used by companies in the financial sector.

“The European Central Bank (ECB) today publishes the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market.” reads the announcement published by the ECB.

“The TIBER-EU framework facilitates a harmonisedEuropean approach towards intelligence-led tests which mimic the tactics, techniques andprocedures of real hackers who can be a genuine threat. TIBER-EU based tests simulate a cyber attack on an entity’s critical functions and underlying systems, such as its people, processes andtechnologies. This helps the entity to assess its protection, detection and response capabilities against potential cyber attacks.”

The main goal for the Framework is to facilitate testing for cross-border entities under oversight of several authorities.

TIBER-EU aims to help organizations measure their ability in detecting and responding cyber attacks.

The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework will provide a guideline for operators in the sector to carry out any security tests.

“It is up to the relevant authorities and the entities themselves to determine if and when TIBER-EU based tests are performed,” the ECB said.

“Tests will be tailor-made and will not result in a pass or fail – rather they will provide the tested entity with insight into its strengths and weaknesses, and enable it to learn and evolve to a higher level of cyber maturity,” continues the announcement.

Initially, the adoption of the framework will not be mandatory, the tests will be tailor-made and “will not result in a pass or fail – rather they will provide the tested entity with insight into its strengths and weaknesses, and enable it to learn and evolve to a higher level of cyber maturity.

The instructions on how to “How to implement the European framework for Threat
Intelligence-based Ethical Red Teaming” are available here.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase