Article 25: Testing of ICT tools and systems
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 25 sets out the range of tests entities must apply, from vulnerability assessments and scans to scenario-based and penetration testing, with critical ICT systems tested at least yearly.
Chapter IV, Digital operational resilience testing · Pillar: Digital Resilience Testing
Key points
- Defines the spectrum of required tests
- Includes vulnerability assessments and penetration testing
- Critical ICT systems tested at least annually
How this fits DORA
Article 25 sits within the Digital Resilience Testing pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 25 in the consolidated regulation on EUR-Lex.