What is a Microsimulation?

A short, impactful exercise that puts teams into a realistic scenario to practice decisions, improve response and capture evidence for compliance.

How is a Microsimulation different from a tabletop exercise?

It is faster to launch, easier to repeat, and built for scale. Use it to build muscle memory between your larger tabletop or crisis exercises.

Who are Microsimulations for?

Individual team members, team cohorts, and cross-functional business units. From executives, boards, risk and cyber teams to operations and third parties. Run single-player practice or multiplayer team sessions.

How long does a Microsimulation take?

Most single-player simulations take 3-5 minutes. Multiplayer and digital tabletops typically run 30-90 minutes.

How do Microsimulations support compliance?

Scenarios map to common frameworks and regulations such as Operational Resilience, NIST, ISO, and DORA, producing audit-ready evidence.

COMPLIANCE & REGULATION

The Global Regulatory Landscape

45+ regulations and standards across five tiers - every one converging on the same demand: prove your resilience through tested, evidenced scenario exercises. Filter the universe below, and open any framework for detail.

The Regulatory Universe

45+ frameworks. Five tiers. One evidence layer.

45 frameworks of 45

Tier 1 Explicit scenario-testing requirements

Regulations that name scenario exercises, tabletops, or BCM/DR testing as a direct obligation.

Regulation / Standard GeographyRequirementTesting TypeCadence

EU DORA

European Union

Yes (TLPT)

Scenario, TLPT

Annual + 3yr TLPT

FCA / PRA Op Resilience

United Kingdom

Yes

Scenario, simulation

Regular / ongoing

SAMA Cyber Security Framework

Saudi Arabia

Yes

IR exercise, crisis sim

Annual minimum

APRA CPS 230

Australia

Yes

BCM exercise, scenario

Annual minimum

SEC Regulation SCI

United States

Yes

Functional / perf test

Annual minimum

HKMA CR

Hong Kong

Yes

Cyber-resilience testing

Regular cycles

OSFI Op Risk & Resilience

Canada

Yes

Scenario-based

Risk-proportionate

OSFI B-13

Canada

Yes

DR scenario testing

Periodic

RBI Cyber Security Framework

India

Yes

Pen test, crisis exercise

Periodic

EBA ICT & Security Risk Mgmt

European Union

Yes

BCM test, disruption sim

Regular / supervisory

ECB CROE

EU / ECB

Yes

Cyber scenario exercise

Supervisory cycles

UAE Central Bank IS Regulation

United Arab Emirates

Yes

Cybersecurity exercises

Examination-based

Australia SOCI Act

Australia

Yes

CRMP testing

Program-based

EBA Outsourcing Guidelines

European Union

Yes

3rd party disruption test

Material outsourcing

Singapore Cybersecurity Act

Singapore

Yes

Audit, response exercises

Regular / directed

UAE Information Assurance Stds

United Arab Emirates

Yes

IR test, cyber drills

Regular / compliance

Israel INCD Cyber Methodology

Israel

Yes

Cyber incident simulation

Regular national cycles

Tier 2 Testing-adjacent expectations

Rules that require tested, demonstrated resilience without prescribing scenario-testing by name.

Regulation / Standard GeographyRequirementTesting TypeCadence

NIS2 + IR 2024/2690

European Union

Indirect

BCM / DR testing

Planned intervals

MAS BCM Guidelines

Singapore

Indirect

Comprehensive testing

Regular

MAS TRM Guidelines

Singapore

Indirect

Adversarial simulation

Risk-proportionate

FFIEC BCM Guidance

United States

Indirect

BCP testing program

Periodic

Basel Committee Op Resilience

Global (BCBS)

Indirect

Scenario-based testing

Principles-based

Tier 3 Threat-led & intelligence-led frameworks

Advanced, intelligence-led red-team testing of critical live systems - increasingly the global benchmark.

Regulation / Standard GeographyRequirementTesting TypeCadence

TIBER-EU

EU / ECB

Yes (TLPT)

Intel-led red team

Bespoke / periodic

CBEST

United Kingdom

Yes (TLPT)

Threat-led pentest

Periodic

OSFI I-CRT

Canada

Yes (TLPT)

Intel-led test

Bespoke / periodic

HKMA iCAST

Hong Kong

Yes (TLPT)

Intel-led simulation

Tier 1 institutions

APRA Intel-Led Cyber Testing

Australia

Yes

Intel-led simulation

Risk-proportionate

Tier 4 Standards layer - ISO & NIST

The ISO and NIST standards that tell practitioners how to design, run, and evidence scenario tests.

Regulation / Standard GeographyRequirementTesting TypeCadence

ISO 22398

International

Standard

Exercise design

Program-based

ISO 22301

International

Standard

BCM exercise

Program-based

ISO 22320

International

Standard

Crisis mgmt exercise

Program-based

ISO 22316

International

Standard

Resilience assessment

Program-based

ISO 22350

International

Standard

Crisis mgmt exercise

Program-based

ISO 27035

International

Standard

IR exercise

Program-based

NIST CSF 2.0

United States

Standard

Respond / Recover

Program-based

NIST SP 800-84

United States

Standard

TTX programs

Annual (800-53 req)

NIST SP 800-61r3

United States

Standard

IR exercises

Program-based

NIST SP 800-53

United States

Standard

IR exercises

Program-based

NIST SP 800-53 (CP / IR)

United States

Standard

CP / IR testing

Annual (control req)

CPMI-IOSCO Cyber Resilience

International (FMI)

Indirect

FMI resilience testing

Supervisory

Tier 5 National infrastructure & FMI frameworks

Large-scale national programmes that treat infrastructure resilience at sector or system level.

Regulation / Standard GeographyRequirementTesting TypeCadence

Cyber Storm Program

United States (CISA)

Yes

National-scale simulation

Biennial

Cyber Europe Program

EU (ENISA)

Yes

Cross-border cyber exercise

Biennial

US NIPP

United States

Indirect

Sector exercise programs

Program cadence

No frameworks match those filters.

Landscape compiled from publicly available regulatory and standards materials. Always confirm current obligations with your compliance function or counsel.

The Common Thread

What every regulator is actually asking for

Strip away the geography and the framework names, and the underlying capability demands converge on six things.

Continuity under disruption

Operate through severe-but-plausible events without breaching tolerance thresholds.

Response & recovery readiness

Demonstrate tested capability to detect, contain, and recover from major incidents.

Third-party disruption preparedness

Critical service provider failures tested as scenarios - not assumed to be managed contractually.

Crisis communications

Internal escalation and external notification pathways validated under realistic pressure.

Testing discipline & cadence

Documented testing programs with defined frequency, scope, assumptions, and participants.

Remediation based on findings

Evidence that gaps identified in exercises are tracked, prioritised, and closed.

Trusted worldwide by organizations of all sizes

iluminr makes capability visible, repeatable, and real. Our platform connects Microsimulations and full-scale exercises into a living system of practice - giving organizations a clear view of where capability lives, where it is lacking, and where to invest next.

Products

Resource Centre

The Global Regulatory Landscape

45+ frameworks. Five tiers. One evidence layer.

What every regulator is actually asking for

Continuity under disruption

Response & recovery readiness

Third-party disruption preparedness

Crisis communications

Testing discipline & cadence

Remediation based on findings

Trusted worldwide by organizations of all sizes

Turn the clause into the evidence