1) in the regulation this clause related to pen testing: ` are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks' would it suffice if the testers do not have formal industry certifications but followed industry standards such as OWASP, NIST etc? If not, then could these certifications be awarded by bodies who are based in the USA? 2) Can the pen testers carrying out the work for DORA be employed by the organisation having the assessments (as long as they dont work within the teams managing the systems under review as part of their normal business)? For instance if the tester works in the `pen test' team and they test a system in the `sales team' in the same company and the tester doesn't work in any sales function is this ok? 3) what is the definition of a yearly pen test under this act? Would a vulnerability scan suffice or would it need to be a human-run end to end assessment which looks at the full range of security issues? 4) Would a physical security assessment need to take place yearly? 5) would there be any requirement to have third party pen tests?