How Regulations Are Driving the Adoption of Cyber Simulations

Regulators are no longer satisfied with cybersecurity plans that exist only on paper. Across industries and geographies, regulatory frameworks are increasingly emphasizing hands-on testing, scenario-based exercises, and live-fire attack simulations as evidence of real cyber resilience. 

While there are not yet many regulations that explicitly mandate “simulations,” many do require organizations to test, exercise, or rehearse their response to cyber incidents under realistic conditions. This blog explores how regulators are reframing cyber readiness through the lens of simulation and scenario testing, and what that shift means for CISOs going forward.

UK Operational Resilience (PS21/3)

This is essentially the UK’s operational resilience framework for financial institutions. At the heart of PS21/3 is the concept of impact tolerances. These are measurable limits on how long a firm’s important business services can be disrupted without causing unacceptable harm to consumers or market integrity.

Regulators in the UK see a clear link between cybersecurity and operational resilience. The policy statement outlines this link: “We consider that cyber resilience is complementary to operational resilience outcomes. Our operational resilience framework requires firms to take a holistic approach to their overall resilience.” 

Under PS21/3, companies are expected to scenario test their ability to remain within these impact tolerances. In PS21/3, the UK’s Financial Conduct Authority (FCA) explicitly ties testing to key operational events:

Organizations must scenario test when:

• There is a material change to the firm’s business or important business services;

• Following improvements made in response to a previous test;

• And on a regular basis.

This language makes two important points. First, resilience is a living, evolving capability that must be re‑evaluated whenever a business changes, a system is upgraded, or new dependencies emerge. Second, regulators intentionally avoid prescribing exact frequencies. Instead, they anchor testing to meaningful conditions like changes and remediations, and require regularity without being artificially rigid. This creates a shift toward readiness outcomes.

“Scenario testing” is effectively a call for realistic rehearsal, whether via tabletop drills or live simulations. Live-fire, team-based simulations provide the most immersive, hands-on format for testing cross-functional readiness. 

Real disruptions are rarely clean or isolated events. They involve cascading failures, cross‑functional coordination, incomplete information, and competing priorities. Only scenario-based exercises expose those realities. 

Regulator feedback explains that, “Testing in a range of severe but plausible scenarios is intended to help firms identify areas where further resilience needs to be built.”

The PS21/3 regulation came fully into force in March 2025, after a three-year transition period. Now, financial services companies in the UK are expected to conduct regular scenario testing of incidents that could cause disruptions (including cyber incidents).

EU Digital Operational Resilience Act (DORA) 

DORA is a regulation that applies to 20 different types of financial entities and third-party IT providers in the EU. DORA is to digital risk what PS21/3 is to broader operational resilience. Unlike many compliance regimes that focus on documentation, DORA explicitly embeds testing as a regulatory requirement. Article 23 and related technical standards require organizations to implement routine digital operational resilience testing that goes beyond basic vulnerability scanning.

• Annual testing: All entities in scope must test ICT systems and applications that support critical or important functions at least every year. This baseline requirement ensures continuous verification of key controls.

• Threat‑Led Penetration Testing (TLPT): For the most systemically important firms, DORA’s Article 26 mandates advanced testing through TLPT at least every three years, with scope, methodology, and reporting laid out by regulatory technical standards. 

The inclusion of TLPT is significant because it is, for all intents and purposes, a simulation of an attack. It’s not your textbook penetration test. TLPT is designed to blend threat intelligence, red‑team techniques, and real‑world TTPs so that organizations are assessed on their ability to withstand and recover from sophisticated, realistic attacks targeting their most critical assets.

NYDFS: 23 NYCRR Part 500

In the United States, explicit calls for cyber simulation still lag behind Europe’s DORA or the U.K.’s scenario testing mandates, but signs of a shift are emerging. A notable example is in the regulatory language of New York’s Department of Financial Services (NYDFS).

The amended 23 NYCRR Part 500 cybersecurity regulation, with enforcement milestones rolled out through 2024, made it clear that incident response plans must be tested. Specifically, Section 500.16 of the NYDFS regulation (as applied to “Class A” entities) mandates that covered organizations:

• Train all employees involved in implementing incident response plans

• Test those plans with critical staff

• Revise plans based on those tests

• Test restoration capabilities for critical data and systems from backups

Testing a plan with “critical staff” and training the people responsible for execution are, in practice, rehearsal requirements, even if the word “simulation” isn’t used directly.

Finance Setting the Trend

While regulatory references to cyber simulations are most prominent in financial services, the ripple effects extend beyond this sector. Regulation in finance often sets the tone for cybersecurity expectations in other industries.

The growing demand for provable cyber resilience through structured rehearsal is perhaps the next trend. Some examples that extend beyond finance include:

NERC CIP‑008‑6 (US)

• Who it applies to: Bulk Power System operators and electric utilities

• How simulation fits the requirement: Requires cyber incident response plans to be tested at least once every 15 months via real incidents, paper/tabletop drills, or operational exercises. Live‑fire or simulated cyber incidents directly satisfy this testing mandate.

HIPAA Security Rule (US)

• Who it applies to: Healthcare providers, health plans, and healthcare service providers handling PHI

• How simulation fits the requirement: Requires periodic testing and revision of contingency plans. Simulation‑based incident response exercises (e.g., ransomware or system outage scenarios) are a practical way to demonstrate compliance.

FFIEC Guidance (US)

• Who it applies to: Federally-supervised banks, credit unions, and financial institutions 

• How simulation fits the requirement: Encourages institutions to regularly exercise incident response and notification procedures through simulations or tabletop exercises to validate readiness and escalation paths.

The Joint Commission (US)

• Who it applies to: Hospitals and clinical healthcare organizations

• How simulation fits the requirement: Emergency Management standards require two annual exercises, which may include cybersecurity incidents. Cyber simulations can be incorporated into these drills to validate response capability.

This reflects a maturing understanding that old-school tabletop exercises, unrehearsed IR playbooks, and reactive posture aren't enough. Threat-led simulations, scenario testing, and operational stress-testing are now seen as core components of modern cyber readiness. 

Questions should evolve from “Do we have an IR plan?” to “Have we tested our IR plan under pressure?” and “Can we prove it works?” In some cases, a well-run simulation program may soon carry significant weight in audits across all sectors. Whether or not the regulations discussed here apply to your business, the underlying message about the value of testing how organizations detect and respond to cyber incidents is clear. For many organizations, this is driving a shift toward more frequent, repeatable simulation-based exercises — most commonly at a monthly cadence.

Cloud Range’s live-fire cyber ranges enable security teams to simulate real-world attacks in uber-realistic, secure environments. Cloud Range’s team-based simulation platform enables your SOC analysts, IR teams, and business stakeholders to work across a range of systems and security tools, like those they use every day, for even greater realism.

Learn how live-fire cyber simulations can support regulatory readiness. Request a demo.