TIBER-IT National Guidance (2025)

TIBER-IT National Guidance

The financial sector is a prime target for cyber threats due to the intense digitalization of business models and services, as well as to its wide-ranging and increasing interconnections. Among the tools adopted by the authorities and market participants to strengthen defence capabilities, advanced cybersecurity tests - known as Threat-Led Penetration Testing (TLPT) - play a crucial role for individual financial entities and the financial system as a whole.

Banca d'Italia, CONSOB and IVASS have been promoting these tests on a voluntary basis since 2022 and have jointly adopted the TIBER-IT National Guide, in line with the ECB's harmonized TIBER-EU framework.

As of January 2025, Regulation (EU) 2022/2554 (DORA) is applicable, requiring certain financial entities - identified by the authorities based on their importance for the financial sector - to carry out TLPT regularly. These provisions are further detailed in Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 (RTS on TLPT). The European TIBER-EU framework was also updated in January 2025 to reflect these changes.

In this context, Banca d'Italia, CONSOB and IVASS have updated the TIBER-IT National Guide to align it with DORA, the Regulatory Technical Standards (RTS) on TLPT, and the revised TIBER-EU framework. The Guide now serves as the reference framework for both mandatory tests under DORA and voluntary tests. To conduct these tests, entities should refer to DORA, the RTS on TLPT, TIBER-EU, and the related supporting documents, which are all referenced in the Guide.

The Guide is addressed primarily to financial entities within the scope of DORA, as implemented in Italy by Legislative Decree 23/2025.

TIBER-IT documentation

Archive

TIBER-EU

Other links