Cyber resilience testing is moving from best practice to regulatory mandate. Across EU financial services under DORA, critical infrastructure operators under NIS2, and systemically important financial institutions under CBEST and TIBER-EU, regulators are requiring organisations to demonstrate their incident response and operational resilience capabilities through structured testing — and tabletop exercises are a core component of what that demonstration involves.

What DORA Requires

DORA Article 25 requires financial entities to run a digital operational resilience testing programme that includes, at minimum, annual testing of ICT tools, systems, and processes. For most entities, this includes tabletop exercises as a component of the broader testing programme.

Importantly, DORA distinguishes between basic testing requirements (applicable to all financial entities) and advanced testing requirements — specifically TLPT (Threat-Led Penetration Testing, aligned with TIBER-EU) — that apply to systemically important entities identified by their competent authority. Tabletop exercises satisfy the basic testing requirement. TLPT is a more intensive, threat-intelligence-led technical test that goes significantly further.

For DORA purposes, tabletop exercise documentation needs to demonstrate: that the scenario was realistic and relevant to the entity’s threat profile; that key stakeholders participated (including executive management for significant scenarios); that findings were identified and documented; and that a remediation plan was developed and is being executed. Tabletop exercises that produce no findings, or where findings are not remediated, will not satisfy a DORA review.

What NIS2 Requires

NIS2 Directive Article 21 requires essential and important entities to implement measures for “business continuity, such as backup management and disaster recovery, and crisis management” and to test those measures. The Directive does not mandate a specific testing methodology, but national implementing legislation in several EU member states has clarified that tabletop exercises are an expected component of the testing programme for essential entities.

NIS2 also extends the management accountability for cybersecurity — management bodies of essential entities are personally responsible for approving and overseeing cybersecurity risk management measures. Board and executive participation in tabletop exercises is not just a good practice recommendation under NIS2; it is consistent with the personal accountability obligations the Directive creates.

CBEST and TIBER-EU: Intelligence-Led Testing

CBEST (UK financial sector) and TIBER-EU (EU financial sector) are frameworks for threat-led penetration testing of systemically important financial institutions. These frameworks involve live technical tests of production environments using real threat intelligence — significantly more intensive than tabletop exercises.

However, these frameworks also typically include a parallel process component: scenario-based exercises (often called cyber stress tests or wargames) that test the organisation’s governance and decision-making response to the scenarios that the technical testing explores. These exercises are closer to facilitated tabletops than to technical penetration tests — and they test the executive and board response to incidents that the technical team is managing.

For organisations subject to CBEST or TIBER-EU, tabletop exercises are typically part of a broader testing programme rather than the primary testing mechanism. But they are consistently present as the governance and decision-making test layer within those programmes.

At Bitsecura, we design tabletop exercises that satisfy DORA, NIS2, and sector-specific regulatory testing requirements — producing documented findings, remediation plans, and the evidence trail that regulatory review expects. If you need exercises that serve both your operational preparedness and your regulatory demonstration requirements, reach out here.


Bitsecura provides cybersecurity tabletop exercise design and facilitation services. Learn more about our tabletop exercise services.