DORA-Art27-P1

Article: 27 (1)
Pillar: Digital Operational Resilience Testing
Regulation Ref: Regulation (EU) 2022/2554, Article 27(1)
Last Reviewed: 2026-01-15

Financial entities shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are carried out by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.

Evidence Profiles

TLPT Execution Report RARE

Report documenting the execution and results of threat-led penetration testing, including attack scenarios executed, findings, impact assessment, and remediation requirements as required by DORA Articles 26-27.

Formats: PDF
Evidence Class: tlpt-execution-report
Availability: RARE
Update Frequency: every 3 years
Typical Author: External TLPT Provider
Approval Chain: CISO → CRO → Board Risk Committee → Competent Authority

Content Sections

Expected Fields

Common Quality Issues

TLPT not performed within required 3-year cycle
Findings not shared with competent authority as required
Remediation plan lacks specific timelines
Defence team response assessment superficial

Tester Independence Attestation PARTIAL

Plain text attestation confirming the independence of testing parties, absence of conflicts of interest, and adequate resource allocation for testing activities as required by DORA Article 27.

Formats: PLAIN_TEXT PDF
Evidence Class: tester-independence-attestation
Availability: PARTIAL
Update Frequency: per engagement
Typical Author: Head of Internal Audit
Approval Chain: Head of Internal Audit → CISO

Content Sections

Expected Fields

Common Quality Issues

Attestation generic without specific engagement reference
No verification of tester qualifications
Conflict of interest assessment superficial
Missing for internally conducted tests

Fact Schemas

tester_independence_status

Schema ID: fs-tester-independence
Control: DORA-Art27-P1

Valid Ranges

attestation_date: per testing engagement
independence_confirmed: must be true for compliance

Related Schemas

JSON Schema

{
  "properties": {
    "attestation_date": {
      "format": "date",
      "type": "string"
    },
    "conflicts_of_interest_none": {
      "type": "boolean"
    },
    "independence_confirmed": {
      "type": "boolean"
    },
    "qualifications_verified": {
      "type": "boolean"
    },
    "sufficient_resources_allocated": {
      "type": "boolean"
    },
    "tester_organisation": {
      "type": "string"
    },
    "tester_type": {
      "enum": [
        "internal",
        "external"
      ],
      "type": "string"
    }
  },
  "required": [
    "attestation_date",
    "tester_type",
    "independence_confirmed",
    "conflicts_of_interest_none"
  ],
  "type": "object"
}

tlpt_execution_status

Schema ID: fs-tlpt-execution-status
Control: DORA-Art26-P1

Valid Ranges

tlpt_date: within last 3 years
next_tlpt_due_date: within 3 years of last TLPT

Related Schemas

JSON Schema

{
  "properties": {
    "competent_authority_notified": {
      "type": "boolean"
    },
    "covers_critical_functions": {
      "type": "boolean"
    },
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "defence_detection_rate_percent": {
      "maximum": 100,
      "minimum": 0,
      "type": "number"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "next_tlpt_due_date": {
      "format": "date",
      "type": "string"
    },
    "threat_intelligence_used": {
      "type": "boolean"
    },
    "tlpt_date": {
      "format": "date",
      "type": "string"
    },
    "tlpt_performed": {
      "type": "boolean"
    }
  },
  "required": [
    "tlpt_date",
    "tlpt_performed",
    "covers_critical_functions",
    "findings_count"
  ],
  "type": "object"
}