Skip to main content
DORA Auditor

Article 25: Testing of ICT tools and systems

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 25 sets out the range of tests entities must apply, from vulnerability assessments and scans to scenario-based and penetration testing, with critical ICT systems tested at least yearly.

Chapter IV, Digital operational resilience testing · Pillar: Digital Resilience Testing

Key points

  • Defines the spectrum of required tests
  • Includes vulnerability assessments and penetration testing
  • Critical ICT systems tested at least annually

How this fits DORA

Article 25 sits within the Digital Resilience Testing pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 25 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex