DORA-Art24-P1

Article: 24 (1)
Pillar: Digital Operational Resilience Testing
Regulation Ref: Regulation (EU) 2022/2554, Article 24(1)
Last Reviewed: 2026-01-15

Financial entities shall, taking into account their size and their overall risk profile, establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework.

Evidence Profiles

Digital Operational Resilience Testing Programme COMMON

Comprehensive document defining the institution's digital operational resilience testing programme, including testing strategy, scope, frequency, methodologies, and governance as required by DORA Article 24.

Formats: PDF
Evidence Class: resilience-testing-programme
Availability: COMMON
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CRO → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

Testing programme scope does not cover all critical systems
Testing frequency insufficient for risk profile
No risk-based prioritisation of testing activities
Missing integration with ICT risk management framework

Resilience Testing Scope Definition PARTIAL

Document defining the scope of digital operational resilience testing, including systems in scope, exclusions, risk-based prioritisation criteria, and testing boundaries.

Formats: DOCX
Evidence Class: testing-scope-definition
Availability: PARTIAL
Update Frequency: annual
Typical Author: Security Testing Lead
Approval Chain: Security Testing Lead → CISO

Content Sections

Expected Fields

Common Quality Issues

Scope excludes third-party hosted systems
No risk-based justification for exclusions
Scope not updated after system changes
Missing coverage of cloud-native services

Fact Schemas

resilience_testing_programme_status

Schema ID: fs-resilience-testing-programme
Control: DORA-Art24-P1

Valid Ranges

approval_date: within last 18 months
methodologies_count: at least 3 different testing types for comprehensive programme

Related Schemas

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "budget_allocated": {
      "type": "boolean"
    },
    "covers_critical_systems": {
      "type": "boolean"
    },
    "has_risk_based_scope": {
      "type": "boolean"
    },
    "last_programme_review_date": {
      "format": "date",
      "type": "string"
    },
    "methodologies_count": {
      "minimum": 1,
      "type": "integer"
    },
    "programme_version": {
      "minLength": 1,
      "type": "string"
    },
    "testing_frequency": {
      "enum": [
        "quarterly",
        "semi-annual",
        "annual"
      ],
      "type": "string"
    }
  },
  "required": [
    "programme_version",
    "approval_date",
    "testing_frequency",
    "has_risk_based_scope",
    "methodologies_count"
  ],
  "type": "object"
}

testing_scope_definition_status

Schema ID: fs-testing-scope-definition
Control: DORA-Art24-P1

Valid Ranges

effective_date: within last 12 months
systems_in_scope_count: should cover all critical and important ICT systems

Related Schemas

JSON Schema

{
  "properties": {
    "covers_cloud_services": {
      "type": "boolean"
    },
    "covers_third_party_systems": {
      "type": "boolean"
    },
    "effective_date": {
      "format": "date",
      "type": "string"
    },
    "exclusions_count": {
      "minimum": 0,
      "type": "integer"
    },
    "has_risk_based_prioritisation": {
      "type": "boolean"
    },
    "scope_version": {
      "minLength": 1,
      "type": "string"
    },
    "systems_in_scope_count": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "scope_version",
    "effective_date",
    "systems_in_scope_count",
    "has_risk_based_prioritisation"
  ],
  "type": "object"
}