Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 25 Testing of ICT tools and systems
Summary What does Article 25 of the DORA regulation say?
This article fleshes out the practical content of the digital operational resilience testing programme established under Article 24, specifying the types of tests that financial entities are expected to run.
It provides a broad menu of testing methods — from vulnerability scans and penetration testing to source code reviews and scenario-based tests — while also carving out specific obligations for certain entity types.
Central securities depositories and central counterparties face a stricter pre-deployment requirement, while microenterprises are given a more flexible, risk-based approach to fulfilling their testing obligations.
Important points:
- Execute appropriate tests drawn from the range of methods listed in this article as part of your digital operational resilience testing programme.
- Central securities depositories and central counterparties are required to perform vulnerability assessments before deploying or redeploying any applications, infrastructure components, or ICT services supporting critical or important functions.
- Microenterprises must conduct the same tests but may do so using a balanced, risk-based and strategically planned approach that accounts for their available resources and the criticality of their assets and services.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
Microenterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.
Relevant recitals
Recital 25 Inconsistent digital operational resilience testing requirements
Digital operational resilience testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of digital operational resilience testing complex which, in turn, can fragment the internal market.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
ICT third-party service provider
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
microenterprise
Definition
information asset
Definition
vulnerability
Definition
digital operational resilience
Definition
ICT services
Definition
critical or important function
Definition
central securities depository