IVASS publishes first update to national TIBER-IT cybersecurity framework

On 11 December 2025 the Italian Insurance Regulatory Authority (IVASS) published an update about the National TIBER-IT Guide for Advanced Cybersecurity Testing for the Italian Financial Sector (TIBER-IT Guide) made by Italy’s Central Bank, CONSOB and IVASS.

TIBER-IT stands for Threat Intelligence Based Ethical Red-Teaming – Italia, and it implements TIBER-EU at national level. The aim is to simulate potential cyber-attacks by reproducing the tactics, techniques and procedures of real threat actors. The European Central Bank introduced the TIBER-EU in 2018.

The DORA Regulation, which came into force in 2025, made these testing tools mandatory for financial entities of major importance. Known as Threat-Led Penetration Testing (TLPT), the tools help the financial system verify digital operational resilience.

The competent authorities of each member state are responsible for identifying which financial entities have to use these testing tools. They base their decision on qualitative and quantitative criteria defined in (EU) Delegated Regulation 2025/1190.

In the first update of the TIBER-IT Guide (TIBER-IT update), in line with the DORA Regulation, Italy's Central Bank, CONSOB and IVASS have identified which financial entities will have to conduct security tests at least every three years:

• financial entities defined in article 2, paragraph 2, of the DORA Regulation, including:
• insurance and reinsurance undertakings
• insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
• institutions for occupational retirement provision
•  credit institutions
• account information service providers
• trading venues
• management companies
• credit rating agencies
• crowdfunding service providers
• payment systems
• technological support or network infrastructures
• Poste Italiane S.p.A.
• financial intermediaries as defined in article 106 TUB (Consolidated Banking Law)
• service providers of the aforementioned entities

Other financial entities can carry out a voluntary test and can send questions regarding the operation of TIBER-IT to: tiber-it@bancaditalia.it.

The TIBER-IT Guide states that the competent authority will formally notify the financial entity required to perform the tests. Then the TIBER Authority (ie the competent authority that runs all the activities related to a TIBER-IT test) will notify the financial entity when the process starts.

While the TLPT is mandatory for entities identified by competent authorities, the voluntary TLPT test is used mainly as a prudential supervisory tool. The process is the same for both the mandatory and the voluntary test. The main purpose is to increase the cyber resilience of the entity being tested, including taking advantage of the learning opportunities experienced during the test.

In accordance with the TIBER-EU framework and the provisions in DORA, it’s also possible to carry out cross-border TLPTs or TLPTs involving multiple financial entities. Multiparty testing – which includes joint tests and pooled tests – is especially useful for entities that operate in multiple countries or share the same technological infrastructure or ICT providers.

Read the TIBER-IT Guide in English here.

Read the TIBER-IT Update in English here.