TIBER-EU framework

Improving cyber resilience with test attacks

TIBER tests mimic the methods of real attackers and are specifically designed to test key functions of a company, such as its people, processes, and technologies. Companies cannot pass or fail a TIBER test. Instead, the test is intended to reveal the strengths and weaknesses of the cyber resilience measures put in place by the tested entity, with a focus on the learning effect of the test, and to enable the entity to reach a higher level of cyber maturity. Detailed information about TIBER-EU is available on the ECB's webpage.

TIBER-EU implementation by the AFM and its objectives

The AFM uses TIBER-EU for both voluntary tests and mandatory tests according to European legislation DORA. The AFM offers the TIBER-EU program to companies under its supervision.

AFM's goals with TIBER-EU:

1. Strengthen the cyber resilience of the Dutch financial sector by conducting high-quality tests.
2. Ensure a consistent approach to TIBER and TLPT (Threat Led Penetration Testing) by consistently applying the TIBER-EU framework.
3. Promote collaboration between financial institutions and supervisory authorities.
4. Create a resilience testing community to share knowledge and enhance the learning experience for financial institutions.

1. DORA TLPT: For financial institutions under its supervision that meet the criteria of DORA. From 2025, this test is mandatory for certain institutions. These tests are conducted according to the TIBER-EU framework.
2. Voluntary TIBER tests: For financial institutions under its supervision and, in special cases, for other relevant parties in the financial sector. These tests are also based on the TIBER-EU framework and can be part of an institution's digital resilience testing program, as required by DORA.

Key documents