Appearance
Testing and third-party risk — DORA Articles 24–30
This page covers Articles 24–27 (digital operational resilience testing, including TLPT) and Articles 28–30 (ICT third-party risk management, including the register of information, contractual provisions, and subcontracting). Articles 31–44 (the EU oversight framework for designated critical ICT third-party providers) are summarised at the end with cross-references.
Quick decision
- Setting up the testing programme → Article 24 sets general requirements; Article 25 lists test types and frequency. Delegated Regulation 2024/1774 also contains technical detail on testing within the ICT risk management framework.
- In scope of TLPT → Article 26 identifies which financial entities are obliged to perform TLPT (based on size, risk profile, and impact criteria identified by competent authorities). Article 27 sets tester-qualification and pooled-testing rules. Delegated Regulation 2025/1190 carries the technical standards.
- Maintaining the ICT third-party register → Article 28(3) is the obligation; Implementing Regulation 2024/2956 carries the standard templates. The register distinguishes ICT services supporting critical or important functions from other ICT services.
- Drafting or reviewing ICT TPP contracts → Article 30 sets the contractual baseline; Article 30(2) is the all-contracts baseline; Article 30(3) adds the heightened requirements for ICT services supporting critical or important functions. Delegated Regulation 2024/1773 specifies the policy for ICT services supporting critical or important functions; Delegated Regulation 2025/532 specifies subcontracting elements under Article 30(5).
- ICT third-party service provider potentially designated critical → Articles 31–44 set the EU oversight framework. The Lead Overseer regime applies once designation occurs.
TL;DR
- Articles 24–25 establish the digital operational resilience testing programme — annual, scenario-based, and including vulnerability scanning, scenario-based tests, performance and end-to-end tests, and source-code reviews where applicable.
- Articles 26–27 add TLPT for entities meeting the Article 26 criteria. Delegated Regulation (EU) 2025/1190 specifies the TLPT technical standards.
- Article 28 is the ICT third-party risk management cornerstone. Article 28(3) requires the register of information; Implementing Regulation (EU) 2024/2956 specifies the standard templates. Article 28(9) is the ITS mandate.
- Article 30 sets the contractual baseline — Article 30(2) for all contractual arrangements, Article 30(3) for those covering ICT services supporting critical or important functions. Delegated Regulation (EU) 2024/1773 specifies the policy under Article 28(10); Delegated Regulation (EU) 2025/532 specifies subcontracting elements under Article 30(5).
- Articles 31–44 establish the EU oversight framework for designated critical ICT third-party service providers, with a Lead Overseer regime run by the ESAs.
Primary source
Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) — Articles 24–44 · Delegated Regulation (EU) 2024/1773 · Implementing Regulation (EU) 2024/2956 · Delegated Regulation (EU) 2025/532 · Delegated Regulation (EU) 2025/1190
Articles 24–25 — digital operational resilience testing
Article 24 sets the general requirements for the testing programme. The testing programme must be appropriate to the entity's size, business and risk profile, be part of the ICT risk management framework, and include a sound and comprehensive range of assessments, tests, methodologies, practices and tools to ensure ICT resilience. Article 24 also requires that any deficiencies, weaknesses, or gaps identified during testing be fully addressed through risk-priority-based remediation plans.
Article 25 lists the types of tests and their frequency. Tests include vulnerability scans and assessments, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source-code reviews where feasible, scenario-based tests, compatibility tests, performance tests, end-to-end tests, and penetration tests. Article 25 also sets the obligation to ensure that tests of ICT systems supporting critical or important functions are conducted at least yearly.
In Modulos: ORF-382 (governance) and MRF-305 (execution).
Articles 26–27 — threat-led penetration testing (TLPT)
Article 26 introduces threat-led penetration testing for financial entities meeting specific criteria. Competent authorities identify financial entities that are required to perform TLPT, taking into account ICT-related characteristics, possible criticality of services and impacts on the financial-stability situation. TLPT must be carried out on live production systems and must cover several or all critical or important functions of a financial entity. Article 26 also addresses the methodology of TLPT, requiring it to follow the TIBER-EU framework or another equivalent threat-led penetration-testing framework.
Article 27 sets requirements for the testers and the pooled-testing arrangements. Testers may be internal (subject to qualification criteria) or external. Article 27 also addresses pooled testing — where financial entities operating ICT services across critical or important functions of the same group of financial entities pool resources for TLPT.
Delegated Regulation (EU) 2025/1190 specifies the technical standards for TLPT under Article 26.
In Modulos: ORF-383 (governance) and MRF-306 (execution).
Article 28 — ICT third-party risk: general principles + register of information
Article 28 sets out the general principles for managing ICT third-party risk. Financial entities are required to manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. The board and senior management have explicit responsibility for the policy on arrangements regarding ICT services. Article 28 also addresses concentration risk and the financial-entity's responsibilities in performing the preliminary assessment of an ICT third-party service provider before entering into a contractual arrangement, with heightened requirements for arrangements covering critical or important functions.
Article 28(3) — register of information. Article 28(3) requires financial entities to maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services. The register must distinguish between contractual arrangements that cover ICT services supporting critical or important functions and those that do not. Implementing Regulation (EU) 2024/2956 specifies the standard templates of the register under Article 28(9).
In Modulos: ORF-384 (general governance), ORF-386 (register of information governance), and MRF-307, MRF-309 (execution).
Article 30 — key contractual provisions
Article 30 sets out the contractual baseline.
- Article 30(2) lists the provisions every contractual arrangement on the use of ICT services must include — a clear and complete description of all functions and ICT services provided; the locations where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed; provisions on availability, authenticity, integrity and confidentiality of data; data return obligations on termination; service-level descriptions including updates and revisions; assistance to the financial entity at no additional cost; provisions on the rights of access, inspection and audit; termination rights; participation in DORA training; insurance arrangements; and provisions on cooperation with competent authorities.
- Article 30(3) adds the heightened requirements applying to ICT services supporting critical or important functions — full service-level descriptions including precise quantitative and qualitative performance targets; notice periods and reporting obligations relating to risk and incidents; obligations on the ICT third-party service provider to implement and test business contingency plans and have in place ICT security measures, tools and policies; participation in the financial entity's TLPT; unrestricted rights of access, inspection and audit; exit strategies.
Delegated Regulation (EU) 2024/1773 specifies the technical standards for the policy that financial entities adopt under Article 28(10) on ICT services supporting critical or important functions.
In Modulos: ORF-385 and MRF-308 (contractual baseline).
Article 30(5) — subcontracting
Article 30(5) addresses subcontracting by ICT third-party service providers. The contractual arrangements must clearly assign rights and obligations of the parties in respect of subcontracting of ICT services supporting critical or important functions — including preconditions to subcontracting, monitoring obligations, and the financial entity's termination rights.
Delegated Regulation (EU) 2025/532 specifies the regulatory technical standards on the elements which a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.
In Modulos: ORF-387 and MRF-310.
Articles 31–44 — EU oversight framework for critical ICT third-party providers
Articles 31–44 establish an EU-level oversight framework for ICT third-party service providers designated as critical.
- Article 31 sets out the designation criteria — based on systemic impact on financial-stability and operations, the criticality of the financial entities relying on the provider, and the degree of substitutability of the provider's services.
- Articles 32–34 establish the structure of the oversight framework — the Joint Oversight Network, the Oversight Forum, and the Lead Overseer (one of the ESAs).
- Articles 35–44 set out the Lead Overseer's powers, the oversight tasks (including conducting general investigations and inspections), and the framework for cooperation with competent authorities and with critical TPPs themselves.
In Modulos: financial-entity-side execution is covered by the Articles 28–30 requirements (ORF-384 to ORF-387; MRF-307 to MRF-310). Designation-side and Lead-Overseer-side activities sit with ESAs and the designated critical TPPs themselves — not with financial entities.
How to operationalize Articles 24–30 in Modulos
| Layer | Modulos surface | Coverage |
|---|---|---|
| Resilience testing programme | OFF-16 ORF-382; MFF-16 MRF-305 | Articles 24–25 |
| TLPT | OFF-16 ORF-383; MFF-16 MRF-306 | Articles 26–27 + Delegated Reg 2025/1190 |
| ICT TPP risk strategy + lifecycle | OFF-16 ORF-384; MFF-16 MRF-307 | Articles 28–29 |
| ICT TPP contractual baseline | OFF-16 ORF-385; MFF-16 MRF-308 | Article 30(2)–(3) |
| Register of information | OFF-16 ORF-386; MFF-16 MRF-309 | Article 28(3) + Implementing Reg 2024/2956 |
| Subcontracting | OFF-16 ORF-387; MFF-16 MRF-310 | Article 30(5) + Delegated Reg 2025/532 |
A typical setup:
- Requirements — each obligation is recorded as a requirement on the relevant project. Fulfilment tracks through
Not fulfilled→Fulfilled. - Controls — testing programme document, TLPT participation procedure, ICT-TPP due-diligence checklist, contract-template checklist, register-of-information template (per Implementing Regulation 2024/2956), subcontracting-assessment procedure are documented as named controls.
- Evidence — testing plan + outcomes, TLPT scope memo + tester assurance + remediation records, due-diligence reviews, concentration-risk analyses, signed ICT-TPP contracts with the Article 30 provisions, register-of-information entries, subcontracting assessments are recorded once and linked to multiple controls.
- Readiness + fulfilment attestation — when controls are in a final state, the requirement becomes ready for review and the owner attests fulfilment.
- Operationalisation gaps to call out honestly: Modulos does not provide a dedicated DORA register-of-information UI surface — register entries are stored as evidence linked to
ORF-386andMRF-309. The TLPT outputs are similarly evidence artefacts, not a dedicated TLPT workflow surface.
Cross-framework mapping (preview)
| DORA area | NIS2 (Directive (EU) 2022/2555) | ISO/IEC 27001:2022 (Amd 1:2024) |
|---|---|---|
| Art 24–25 testing | (no direct equivalent; Art 21(2)(f) effectiveness assessment is closest) | Clause 9.1 (monitoring), 9.2 (internal audit), A.8.29 (security testing) |
| Art 26–27 TLPT | (no direct equivalent — sector-specific) | A.8.29 (security testing in development and acceptance) |
| Art 28 ICT TPP general + register | Art 21(2)(d) supply chain + Art 21(3) | A.5.19, A.5.20, A.5.21 supplier-relationship family |
| Art 30 contractual provisions | Art 21(2)(d) | A.5.20 (information security in supplier agreements) |
| Art 30(5) subcontracting | Art 21(2)(d) + Art 21(3) | A.5.22 (managing information security in the ICT supply chain) |
| Arts 31–44 oversight of critical TPPs | (no direct equivalent) | (no direct equivalent) |
For the pairwise NIS2↔DORA treatment see NIS2 vs DORA.
Related pages
DORA overview
Framework structure, dates, OFF-16 / MFF-16 split
Applicability and governance
Articles 1–6, 16 — scope, proportionality, management body, ICT RMF foundation
ICT risk and resilience operations
Articles 5–23 — RMF substance, incident process, classification, reporting
Information sharing and Level 2 acts
Article 45 + the eight Commission Delegated / Implementing Regulations
NIS2 vs DORA
Where each applies, sector-specific Union legal act interaction
Source attribution
Regulation (EU) 2022/2554 (DORA) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. Articles 24–44 substance on this page is paraphrased from the operative provisions; for paragraph-level wording consult the EUR-Lex text. Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 specifies the technical standards for the policy on ICT services supporting critical or important functions. Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 specifies the standard templates for the register of information. Commission Delegated Regulation (EU) 2025/532 specifies subcontracting elements under Article 30(5). Commission Delegated Regulation (EU) 2025/1190 specifies the technical standards for threat-led penetration testing under Article 26.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. DORA applies directly in every Member State; binding obligations and supervisory authorities for any specific financial entity are determined by the Regulation, the applicable Level 2 acts, and the competent authority designated under Article 46. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.