Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 36 ICT security testing

Summary What does Article 36 of the RTS on ICT risk management framework say?

This article sits within the simplified ICT risk management framework applicable to smaller financial entities under Article 16(1) of DORA, and directly validates the ICT security measures established across several other articles in that framework.

It requires financial entities to establish and implement an ICT security testing plan, grounded in the threats and vulnerabilities already identified through the simplified risk management process.

The article follows a logical cycle: build security measures, test them, evaluate the results, and update accordingly.

Important points:

  • Establish and implement an ICT security testing plan that reflects the threats and vulnerabilities identified under the simplified ICT risk management framework.
  • Review, assess, and test ICT security measures taking into consideration the overall risk profile of your ICT assets.
  • Monitor and evaluate test results and update security measures without undue delay for ICT systems supporting critical or important functions.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Regulation.

    1. The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity.

    1. The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod