Documentation of testing of the ICT BCPs

Documentation of testing of the ICT BCPs

Purpose and Regulatory Context

Article 25 RTS RMF establishes explicit documentation obligations for all financial entities performing ICT business continuity plan (ICT BCP) tests as required under Article 11(6) DORA.

The documentation requirement applies to:

  • all ICT BCP testing performed on ICT systems supporting all functions,
  • all enhanced testing scenarios for systems supporting critical or important functions,
  • all tests performed following substantive changes, cyber-attack scenarios, switchover simulations, and third-party dependency scenarios.

This documentation forms part of the broader ICT risk management framework under Article 6 DORA and must feed into:

  • the ICT response and recovery plans review cycle,
  • audit and supervisory evidence requirements, and
  • the annual ICT risk management framework review report (Article 6(5) DORA).

Documentation Obligations (Article 25(5) RTS RMF)

Financial entities must document the results of all ICT BCP tests performed under Article 25(1).
The documentation must be complete, accurate, traceable, and auditable, and must contain:

Test Identification

  • Unique identifier of the test exercise.
  • Date(s), duration and systems in scope.
  • Scenario tested (incl. severe but plausible scenarios required under Article 25(2)(a)).
  • Reference to the BIA and ICT risk assessment underlying scenario selection.

Test Design and Methodology

  • Description of the test type (table-top, simulation, live failover, technical switchover, third-party continuity test).
  • Objectives, assumptions, preconditions, and the expected outcomes.
  • Involvement of ICT third-party service providers (Article 25(2)(b)) where applicable.
  • Involvement of CCP/CSD/trading venue stakeholders when relevant (Articles 25(3)–(4)).

Execution Details

  • Step-by-step account of test execution.
  • Systems, services and staff involved.
  • Observations regarding system behaviour, data integrity, staff readiness, and communication effectiveness.
  • Behaviour of redundant capacity, backups, switchover performance, and recovery processes.

Test Results

  • Actual outcomes vs. expected outcomes.
  • Measured RTO and RPO values for critical or important functions.
  • Confirmation of alignment with the business continuity arrangements.
  • Deviations, failures, unexpected behaviours and delays.
  • Evidence demonstrating whether assumptions underlying the BCP remain valid (Article 25(2)(d)).

Analysis of Identified Deficiencies

Article 25(5) mandates the analysis of any identified deficiencies.
The analysis must include:

  • classification of deficiencies by severity and impact,
  • correlation with ICT risks, BIA results, and criticality of affected functions,
  • root-cause assessment,
  • identification of systemic gaps vs. isolated issues,
  • assessment of third-party service provider contribution to deficiencies.

This analysis must feed directly into the ICT response and recovery plans and the ICT business continuity policy review (Article 24(1)(b)(v)).

Remediation and Follow-Up

In accordance with Article 25(5), all deficiencies must be addressed.
This requires:

  • definition of concrete corrective measures,
  • assignment of responsible functions,
  • implementation timelines,
  • dependencies on third-party providers,
  • resource implications,
  • integration into the formal follow-up process for critical ICT audit findings under Article 6(7) DORA.

Remediation status must remain visible to ICT risk management, business continuity management, and internal audit.

Reporting to the Management Body

The regulation requires that all identified deficiencies are reported to the management body.

Management body reporting must include:

  • an executive summary of the test performed,
  • key findings and deviations,
  • severity assessment,
  • remediation plan and timeline,
  • unresolved or recurring weaknesses,
  • risks arising from deficiencies and potential impacts on critical or important functions.

This reporting must occur within the normal governance cycle and must be consistent with the reporting obligations under Article 6(5) DORA (ICT risk management framework review).

Integration Into the Annual ICT Risk Management Review

Documentation of ICT BCP tests is a mandatory input into:

  • the annual ICT risk management framework review, and
  • the report submitted to the competent authority upon request (Article 6(5) DORA; Article 27 RTS RMF).

Test results and associated deficiencies must be referenced explicitly in:

  • section on effectiveness of ICT controls (Article 27(2)(a)(iv)),
  • findings and severity analysis (Article 27(2)(g)),
  • corrective measures and implementation status (Article 27(2)(h)).

Article 25 (5) RTS RMF

RTS RMF