CONSOB, Banca d'Italia and IVASS have updated the TIBER-IT National Guide for conducting advanced cybersecurity tests, aligning it with the new requirements introduced by Regulation (EU) 2022/2554 (DORA).

To strengthen the digital operational resilience of the financial sector, DORA requires that certain financial entities - identified by the competent authorities based on qualitative and quantitative criteria - must perform Threat-Led Penetration Testing (TLPT) on their ICT systems at least once every three years.

The updated TIBER-IT Guide serves as the single methodological framework for Italian financial entities to carry out TLPT, whether it is required under DORA or done on a voluntary basis by entities not subject to mandatory testing.

This revision incorporates the latest provisions on TLPT introduced by the DORA Regulation, the related TLPT Delegated Regulation adopted by the European Commission, and the updated version of the TIBER-EU.

• Joint Communication by CONSOB, Banca d'Italia and IVASS on the update of the TIBER-IT National Guidance (December 2025)
• TIBER-IT National Guide v.2.0 (November 2025)