Testing of ICT tools and systems

Article 25 provides the detailed catalogue of testing activities that financial entities must perform as part of their digital operational resilience testing programme. While Article 24 establishes the programme-level requirements, Article 25 specifies what types of tests must be included and how findings must be handled.

Vulnerability assessments and scans represent the baseline testing requirement. These must be conducted at a frequency proportionate to the risk profile of the systems being tested, with more frequent scanning for internet-facing and critical systems. The assessments must cover known vulnerabilities, misconfigurations, and security weaknesses across the full technology stack.

Scenario-based testing goes beyond vulnerability scanning to test the entity's ability to respond to realistic disruption scenarios. This includes business continuity tests that validate recovery capabilities against defined RTOs and RPOs, disaster recovery exercises that test failover to backup facilities, and stress tests that assess system behavior under extreme conditions. These scenarios should be based on realistic threat intelligence and past incident patterns.

A critical requirement of Article 25 is the obligation to remediate identified findings. Testing that discovers vulnerabilities but does not lead to remediation provides no value. Entities must establish a process for prioritizing findings based on risk, assigning remediation ownership, tracking progress, and verifying that fixes are effective. The remediation timeline must be proportionate to the severity of the finding, with critical vulnerabilities requiring immediate attention.