DORA2026-03-103 min read

DORA Article 25 Explained: Testing of ICT Tools and Systems

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In the rapidly evolving landscape of financial services, where technology plays a pivotal role, the European Union's Digital Operational Resilience Act (DORA) has been introduced to ensure the stability, safety, and reliability of financial entities. Within the act, Article 25 specifically addresses the testing of Information and Communication Technology (ICT) tools and systems. This article serves as a comprehensive guide for financial entities to understand and comply with Article 25, highlighting its importance in maintaining digital operational resilience.

Key Requirements

Article 25 of DORA delineates the following key requirements for financial entities:

  • Risk-Based Testing: Entities must implement a risk-based approach to testing ICT tools and systems.

  • Regularity of Tests: Regular testing must be conducted to ensure the continuity and reliability of ICT tools and systems.

  • Scenario Analysis: Implement scenario analysis to anticipate potential disruptions and their impacts.

  • Testing of Third-Party Services: Extend testing to include third-party ICT services that are critical for the entity's operations.

  • Reporting: Maintain records of tests and reports to demonstrate compliance with regulatory requirements.

Implementation Guide

To ensure compliance with DORA Article 25, financial entities should undertake the following practical steps:

  1. Assessment of ICT Risks: Begin by conducting a thorough assessment of ICT risks, including data security breaches, system failures, and third-party service disruptions.

  2. Development of Testing Frameworks: Develop frameworks for testing that cover various scenarios, such as system failures, cyber-attacks, and natural disasters.

  3. Regular Testing Schedules: Establish regular testing schedules that align with the risk profile of the entity and the criticality of ICT systems.

  4. Involvement of All Stakeholders: Ensure that all relevant stakeholders, including third-party providers, are involved in the testing process.

  5. Documentation and Reporting: Keep detailed records of all tests conducted, including the date, scope, findings, and remediation actions taken.

  6. Continuous Improvement: Use the insights gained from testing to continuously improve the resilience of ICT systems.

Common Pitfalls

When implementing the requirements of DORA Article 25, financial entities should avoid the following common pitfalls:

  • Neglecting Third-Party Risks: Failing to test third-party ICT services can lead to significant vulnerabilities in the entity's operational resilience.

  • Insufficient Documentation: Poor record-keeping can result in difficulties when demonstrating compliance with regulatory requirements.

  • Lack of Regular Updates: Failing to update testing procedures and schedules can lead to outdated and ineffective tests.

  • Ignoring Lessons Learned: Not incorporating lessons learned from previous tests into ongoing risk management strategies can hinder the entity's resilience.

How Matproof Helps

Matproof's compliance management platform offers a range of tools designed to automate the tracking and evidence collection process for DORA Article 25 requirements. By leveraging Matproof, financial entities can ensure that their testing procedures are up-to-date, comprehensive, and compliant with the latest regulatory standards.

Related Articles

For further reading on DORA and its implications for financial entities, consider the following related articles:

DORA Article 25Testing of ICT Tools and Systemsdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo