DORA Reshapes Cyber Testing as Italy Updates TIBER-IT Guide

Key Takeaways

• TIBER-IT Updated for DORA: Italy’s financial regulators have revised the TIBER-IT National Guide to align with the Digital Operational Resilience Act and its new requirements for threat-led penetration testing.
• Mandatory Cyber Testing Takes Effect: Certain systemically important financial entities must now conduct Threat-Led Penetration Testing on their ICT systems at least once every three years.
• Single Framework for Italy: The updated guide serves as the sole methodological reference for both mandatory TLPT under DORA and voluntary testing by other financial entities.
• Voluntary Testing Still Encouraged: Firms outside the scope of mandatory requirements are encouraged to carry out TLPT, reflecting regulators’ focus on strengthening sector-wide cyber resilience.
• Scope Under DORA: The framework applies not only to financial institutions but also to relevant ICT service providers and specialized threat intelligence and red-team firms involved in testing.

Deep Dive

Italy’s financial regulators are updating the rulebook on how banks, insurers, and other financial institutions stress-test their cyber defenses, as the EU’s Digital Operational Resilience Act moves from theory to day-to-day supervision.

Banca d’Italia, CONSOB, and IVASS have jointly updated the TIBER-IT National Guide, the framework used to run advanced cybersecurity exercises known as Threat-Led Penetration Testing, or TLPT. The revision brings the Italian framework into line with DORA, which has applied since January 2025 and introduces mandatory cyber resilience testing for selected financial entities across the EU.

DORA requires certain firms, identified by supervisors based on their size, complexity, and importance to the financial system, to carry out TLPT on their ICT systems at least once every three years. Unlike traditional penetration tests, TLPT exercises are built around real threat intelligence and are designed to mimic the tactics and techniques used by sophisticated attackers.

With the update, the TIBER-IT Guide becomes the single reference point for how these tests should be carried out in Italy. It applies not only to firms that are now legally required to run TLPT under DORA, but also to those that choose to do so voluntarily, a practice Italian authorities have been encouraging for several years.

The revised guide reflects the latest pieces of the EU framework, including the Regulatory Technical Standards on TLPT adopted by the European Commission in February 2025 and the updated TIBER-EU framework released earlier this year. Together, these changes are meant to tighten alignment across member states while keeping national testing programs consistent with the ECB’s broader approach.

Italian supervisors are hardly new to this territory. Since 2022, Banca d’Italia, CONSOB, and IVASS have promoted advanced cyber testing on a voluntary basis through the original TIBER-IT Guide, which was modeled on TIBER-EU. What has changed is the regulatory backdrop. With DORA now in force, TLPT shifts from a best practice to a formal obligation for a defined group of financial institutions.

The updated guide is primarily aimed at financial entities that fall within the scope of DORA, as implemented in Italy through Legislative Decree 23/2025. It also covers ICT service providers when they are included in the scope of a test, along with threat intelligence and red-team providers involved in carrying out the exercises.

Firms that are not subject to mandatory testing can still opt in. The authorities say voluntary TLPT remains strongly encouraged, particularly given the financial sector’s deep reliance on digital systems and its growing web of third-party technology dependencies. Organizations interested in running a voluntary test are invited to notify the designated single contact point outlined in the guide.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.