General requirements for the performance of digital operational resilience testing

Article 24 establishes the overarching requirements for digital operational resilience testing, making it clear that testing is not an optional add-on but an integral component of the ICT risk management framework. Every in-scope financial entity must have a testing programme, though its scope and depth should be proportionate to the entity's risk profile.

The testing programme must cover a range of approaches including, but not limited to, vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.

A risk-based approach is fundamental. Entities must prioritize testing of critical or important functions and the ICT systems that support them. The testing programme should reflect the current threat landscape, lessons learned from past incidents, and the results of previous tests. Testing must be repeated at appropriate frequencies, with at least basic testing conducted annually for all ICT systems and applications.

Independence of testing is a key quality requirement. Tests must be performed by parties with sufficient expertise, independence, and objectivity — whether internal teams with appropriate organizational separation or qualified external providers. The entity must ensure that testers have no conflicts of interest that could compromise the objectivity of their findings.