DORA-Art25-P1

Vulnerability Assessment Report COMMON

Report documenting the results of vulnerability assessments and scans, including identified vulnerabilities, severity ratings, affected systems, and remediation recommendations as required by DORA Article 25.

Formats

PDF JSON

Evidence Class

vulnerability-assessment-report

Availability

COMMON

Update Frequency

quarterly

Typical Author

Security Testing Lead

Approval Chain

Security Testing Lead → CISO

Content Sections

• Executive Summary
• Assessment Scope
• Methodology
• Findings Summary
• Detailed Findings
• Risk Ratings
• Remediation Recommendations
• Appendices

Expected Fields

• assessment_id
• assessment_date
• scope
• total_vulnerabilities
• critical_count
• high_count
• medium_count
• low_count
• remediation_deadline

Common Quality Issues

• Assessment scope limited to external-facing systems
• Remediation timelines not enforced
• Recurring vulnerabilities not flagged as systemic issues
• Missing correlation with threat intelligence

Penetration Test Report COMMON

Report documenting the results of penetration testing activities, including attack scenarios, findings, exploitation evidence, and remediation recommendations.

Formats

PDF

Evidence Class

penetration-test-report

Availability

COMMON

Update Frequency

annual

Typical Author

External Penetration Testing Firm

Approval Chain

Security Testing Lead → CISO

Content Sections

• Executive Summary
• Scope and Rules of Engagement
• Methodology
• Attack Scenarios
• Findings and Evidence
• Risk Assessment
• Remediation Recommendations
• Retesting Plan

Expected Fields

• test_id
• test_date
• scope
• tester_organisation
• findings_count
• critical_findings
• high_findings
• remediation_status

Common Quality Issues

• Scope limited to specific network segments
• Social engineering testing excluded
• Retesting not performed after remediation
• Findings not mapped to specific DORA requirements

Network Security Assessment Results PARTIAL

JSON-structured results of network security assessments including firewall rule reviews, network segmentation validation, and traffic analysis findings.

Formats

JSON

Evidence Class

network-security-assessment

Availability

PARTIAL

Update Frequency

semi-annual

Typical Author

Network Security Engineer

Approval Chain

Network Security Engineer → CISO

Content Sections

• Assessment Results

Expected Fields

• assessment_id
• assessment_date
• networks_assessed
• firewall_rules_reviewed
• segmentation_issues
• open_ports_found
• compliance_score

Common Quality Issues

• Assessment limited to perimeter networks
• Internal network segmentation not validated
• Legacy firewall rules not reviewed
• Missing assessment of cloud network configurations

Resilience Testing Gap Analysis PARTIAL

CSV-structured gap analysis identifying areas where the institution's resilience testing programme falls short of DORA requirements, including coverage gaps and capability deficiencies.

Formats

CSV

Evidence Class

gap-analysis-report

Availability

PARTIAL

Update Frequency

annual

Typical Author

Compliance Officer

Approval Chain

Compliance Officer → CISO

Content Sections

• Gap Analysis

Expected Fields

• requirement_ref
• requirement_description
• current_status
• gap_description
• severity
• remediation_action
• target_date
• responsible_owner

Common Quality Issues

• Gap analysis not comprehensive across all DORA testing requirements
• Remediation actions generic without specific implementation plans
• Target dates unrealistic or not tracked
• Missing prioritisation based on risk

vulnerability_assessment_status

Schema ID

fs-vulnerability-assessment

Control

DORA-Art25-P1

Valid Ranges

assessment_date

within last 3 months for quarterly assessments

critical_count

should be 0 for compliant posture after remediation

Related Schemas

• fs-penetration-test-results
• fs-basic-testing-coverage

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "critical_count": {
      "minimum": 0,
      "type": "integer"
    },
    "high_count": {
      "minimum": 0,
      "type": "integer"
    },
    "low_count": {
      "minimum": 0,
      "type": "integer"
    },
    "medium_count": {
      "minimum": 0,
      "type": "integer"
    },
    "next_assessment_date": {
      "format": "date",
      "type": "string"
    },
    "remediated_count": {
      "minimum": 0,
      "type": "integer"
    },
    "remediation_in_progress": {
      "type": "boolean"
    },
    "total_vulnerabilities": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "total_vulnerabilities",
    "critical_count",
    "high_count",
    "remediation_in_progress"
  ],
  "type": "object"
}

penetration_test_results

Schema ID

fs-penetration-test-results

Control

DORA-Art25-P1

Valid Ranges

test_date

within last 12 months

critical_findings

should be 0 after remediation and retesting

Related Schemas

• fs-vulnerability-assessment

JSON Schema

{
  "properties": {
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "high_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "remediation_verified": {
      "type": "boolean"
    },
    "retesting_completed": {
      "type": "boolean"
    },
    "test_date": {
      "format": "date",
      "type": "string"
    },
    "test_passed": {
      "type": "boolean"
    },
    "tester_organisation": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "test_date",
    "tester_organisation",
    "findings_count",
    "critical_findings",
    "test_passed"
  ],
  "type": "object"
}

basic_testing_coverage_status

Schema ID

fs-basic-testing-coverage

Control

DORA-Art25-P1

Valid Ranges

reporting_period_end

within last 12 months

vulnerability_assessments_performed

at least 1 per year

penetration_tests_performed

at least 1 per year

Related Schemas

• fs-resilience-testing-programme
• fs-vulnerability-assessment

JSON Schema

{
  "properties": {
    "all_required_test_types_covered": {
      "type": "boolean"
    },
    "gap_analyses_performed": {
      "minimum": 0,
      "type": "integer"
    },
    "network_assessments_performed": {
      "minimum": 0,
      "type": "integer"
    },
    "penetration_tests_performed": {
      "minimum": 0,
      "type": "integer"
    },
    "reporting_period_end": {
      "format": "date",
      "type": "string"
    },
    "scenario_based_tests_performed": {
      "minimum": 0,
      "type": "integer"
    },
    "source_code_reviews_performed": {
      "minimum": 0,
      "type": "integer"
    },
    "vulnerability_assessments_performed": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "reporting_period_end",
    "vulnerability_assessments_performed",
    "penetration_tests_performed",
    "network_assessments_performed"
  ],
  "type": "object"
}