Requirement
DORA.TS-1.1: The financial entity shall establish and maintain a comprehensive digital operational resilience testing programme, reviewed at least annually, that covers ICT tools, systems, processes and staff supporting critical or important functions, and is formally documented and approved by senior management (Art. 24(1) DORA).
Guidance
The testing programme should be risk-based and aligned to the current threat landscape; cover all critical or important functions; assign ownership for each test; document planned vs. actual test completion; and produce a consolidated results report with remediation plans.
Documentation
Implementation
Requirement
DORA.TS-2.1: The financial entity shall conduct regular vulnerability assessments and network security testing, including vulnerability scans of ICT systems, network security reviews, open-source component analysis and — where relevant — physical security reviews, with findings tracked to remediation (Art. 25(2)(a)–(c) DORA).
Guidance
Consider: regular vulnerability scans for all ICT assets (at least quarterly for critical systems); annual penetration tests covering critical applications and infrastructure; network security configuration reviews; software composition analysis; and defined remediation SLAs by vulnerability severity.
Documentation
Implementation
Requirement
DORA.TS-3.1: Following digital operational resilience tests, the financial entity shall conduct gap analyses to identify weaknesses, produce risk-ranked remediation plans, and track the implementation of corrective actions to completion with regular management oversight and re-testing to confirm remediation (Art. 24(5) DORA).
Guidance
Consider: standardised gap analysis methodology; risk-ranked remediation plans with defined owners and target dates; regular management reporting on open findings and overdue remediations; escalation of critical gaps to senior management; and confirmation testing after remediation.
Documentation
Implementation
Requirement
DORA.TS-4.1: The financial entity shall include critical ICT applications, systems and infrastructure in its resilience testing programme, using appropriate methods tailored to the criticality and risk profile of each component, including business continuity and disaster recovery exercises (Art. 25(2) DORA).
Guidance
Consider: application security testing (DAST/SAST) for critical applications; annual disaster recovery exercises testing failover to alternate sites; load and stress testing for high-volume processing systems; and testing of third-party ICT services' resilience capabilities where possible.
Documentation
Implementation
Maturity Scale
Target: ≥ 3/5 for all categories
Documentation
No process documentation or not formally approved by management.
Implementation
Standard process does not exist. Actions are ad hoc and undocumented.
Documentation
Formally approved process documentation exists but has not been reviewed in the previous 2 years.
Implementation
Ad-hoc process exists and is performed informally. Results are inconsistent.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 5% of activities.
Implementation
Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 3% of activities.
Implementation
Formal process fully implemented. Evidence available for all activities. Detailed metrics captured and reported. Less than 5% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 0.5% of activities.
Implementation
Formal process fully implemented and continually improving. Minimal exceptions (<1%). Process improvements tracked and evidenced.