Operational Resilience Testing

Also: Digital Operational Resilience Testing, DORA Art. 24-27

Mandatory testing programme under DORA Art. 24-27 for the operational resilience of financial entities' ICT systems. Covers vulnerability assessments, open-source analyses, network security reviews, gap analyses, physical security reviews, questionnaires, scans, penetration tests and TLPT.

DORA demands an annual testing programme proportional to the size, risk profile and complexity of the financial entity. The programme must define test methods, frequency, scope, acceptance criteria, escalation paths, reporting and remediation discipline. Results feed the annual ICT risk report to the supervisor.

Test spectrum: vulnerability assessments at least yearly, source-code reviews for critical applications, penetration tests for external and critical internal systems, network security assessments, performance and end-to-end tests. Significant entities additionally need TLPT at least every three years (Art. 26-27).

Audit logic: the testing programme must be steered by an independent function inside or outside the entity. Testers must not concurrently be developers or operators of the tested systems. Evidence duty: every test needs minutes, findings list, risk rating, remediation plan, retest.

Operational Resilience Testing

Related terms