TIBER-EU - Service Provider Evaluation for TI Providers

When conducting a TIBER-EU test, selecting a suitable threat intelligence provider (TI provider) is crucial for the quality, security, and realism of the test execution. The following questions are intended to help procurement managers (control teams) systematically evaluate potential TI providers and make informed decisions in the selection process.
The questions are based on the requirements and guidelines of the TIBER-EU Guidance for Service Provider Procurement (January 2025) and cover both formal minimum requirements and qualitative aspects such as reputation, methodology, security standards, and employee competence. They can be used flexibly as part of a tender, a self-assessment questionnaire, or in interviews and bid reviews.
The aim of this list of questions is to ensure a structured, transparent, and comparable assessment, thereby facilitating the selection of a trustworthy, competent, and compliant TI provider.
The “List of questions to facilitate the procurement of TI providers” can be found in Annex 4.2 of the document “TIBER-EU: Guidance for Service Provider Procurement” (January 2025).
Here is an overview of the question categories and some sample questions that should be asked to assess the suitability of potential threat intelligence providers (TI providers):

Reputation, History, and Ethics

• Can the TI provider demonstrate a solid reputation and history (e.g., commercial register extract, references, financial soundness)?
• Does the provider have at least three references from previous TI projects for red teaming?
• Has the provider previously provided services to the institution that could lead to conflicts of interest?
• Does the provider adhere to a formal code of conduct?
• Does the provider have adequate liability insurance for its activities?

Governance, Security, and Risk Management

• Are there independent audits of the ISMS (Information Security Management Systems)?
• Does the provider have relevant security certifications?
• How does the provider ensure that collected data is stored, transmitted, and deleted securely?
• How is the risk of data leaks by employees minimized?

Methodology

• Does the provider have a clear methodology for conducting TI and reconnaissance?
• Does the provider use a broad source base (OSINT, HUMINT, SIGINT)?
• How does the provider stay up to date on current TTPs and threats?
• Does the provider have a sector and geopolitical focus, particularly on the financial sector?

Employee Competence

• Does the team have threat intelligence managers with at least five years of experience?
• Do the other team members each have at least two years of experience in TI?
• Can current resumes and references for key personnel be provided?
• Is there interdisciplinary expertise within the team (OSINT, HUMINT, geopolitical knowledge)?
• Is there a program for continuing education?

These questions serve to gain a holistic picture of the technical suitability, reliability, methodological maturity, and ethical orientation of the TI provider.