Question ID: DORA 236 - 3344
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: Digital operational resilience testing (DORA), ICT risk management (DORA)
Article: 25 & Art. 16 TS - ICT systems acquisition, development, and maintenance(Art 25 (DORA) and Art. 16. p3. Technical standard ICT systems acquisition, development, and maintenance)
Status: Rejected
Date of submission: 15 May 2025
Question
Regulation DORA Chapter 4. Article 25 states that "execution of appropriate tests, such as (..) source code reviews where feasible" must be conducted. In contrast the technical standard Risk management framework Chapter I. Article 16. paragraph 3.states: "The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii)." Question: Is a source code test mandatory? Is a dynamic source code test mandatory? In line with requirements can an organisation replace source code test with other security test where feasible?
Background of the question
The regulation states that application security tests need to be conducted, based on the certain attributes (criticality etc.) and does not formulate strict requirement for certain test types. On the other hand the ICT Risk Managment TS, specifically asks for source code tests. However the wording "performance" might suggest that this test type should be included in the procedure required by Art. 16. paragraph 2. and not as a strict requirement to deliver such tests. (Additionally in non-English versions of the Risk management technical standard the word "performance" is missing)
EIOPA answer
The question has been rejected because the issue it deals with is already addressed in the regulatory text.