Validation methodologies

Validation methodologies

Purpose of the Requirement

Article 24(5) requires financial entities (other than microenterprises) to implement internal validation methodologies that ensure all weaknesses, deficiencies, or gaps identified during digital operational resilience testing are fully addressed, adequately verified, and formally closed.
The validation methodologies represent the quality assurance and independent oversight layer within the testing lifecycle, ensuring that remediation activities are effective, traceable, and aligned with the entity’s ICT risk tolerance and security objectives.

Scope of Application

The validation methodologies must apply to all categories of tests performed under Chapter IV DORA, including:

  • vulnerability assessments
  • scenario-based resilience tests
  • end-to-end business continuity and failover tests
  • network and system resilience tests
  • ICT third-party service provider testing
  • cyber-range exercises
  • backup, restoration, and recovery tests
  • threat-led penetration testing (TLPT), where applicable
  • integrated ICT response and recovery plan testing

The scope includes every issue, finding, or deviation identified during such tests, irrespective of whether it is technical, organisational, or procedural in nature.

Mandatory Components of the Validation Methodologies

The validation methodologies must define, document, and operationalise the following components:

Independent Validation Function

Validation must be executed by a function that is:

  • independent from the teams executing the tests
  • independent from the teams performing the remediation
  • aligned with the three lines of defence model under Article 6(4) DORA

This ensures objectivity, impartiality, and avoidance of conflicts of interest.

Verification and Evidence Requirements

Validation must rely on objective, auditable evidence, including:

  • technical evidence (logs, configuration artefacts, screenshots, test reports)
  • architectural and configuration documentation
  • updated procedures or process flows
  • proof of third-party remediation where relevant
  • evidence of regression testing

The methodologies must specify what constitutes acceptable evidence and ensure consistency across all testing processes.

Retesting Requirements

Where applicable, validation must include retesting to confirm that:

  • the identified weakness has been fully mitigated
  • remediation has not introduced new vulnerabilities
  • system behaviour aligns with resilience requirements and baselines
  • patching, configuration adjustments, or architectural changes function as intended

Critical issues must always undergo full retesting under conditions comparable to the original test scenario.

Closure Criteria

The methodologies must define explicit, measurable, and risk-based closure criteria, including:

  • fulfilment of remediation requirements
  • confirmation that risk tolerance thresholds (Article 6(8)(b) DORA) are met
  • confirmation that controls operate effectively
  • documentation completeness
  • approval and sign-off requirements

Issues may only be closed after formal validation confirms complete remediation.

Escalation Procedures

Validation methodologies must include escalation paths for:

  • overdue remediation items
  • incomplete evidence
  • repeated test failures
  • recurring or systemic gaps
  • remediation delays by ICT third-party service providers

Escalation must reach senior management or the management body for critical issues.

Interdependencies with Other DORA Requirements

The validation methodologies must integrate with, and be consistent with:

  • ICT risk assessment (Article 6(1))
  • residual ICT risk acceptance processes (Article 3(d) RTS RMF)
  • ICT incident management and detection mechanisms (Articles 10 and 17)
  • change management controls (Article 17 RTS RMF)
  • ICT BCP and response & recovery plan testing (Articles 25 and 26 RTS RMF)
  • ICT internal audit reviews and follow-up (Articles 6(6)–(7) DORA)
  • third-party monitoring and testing (Article 28 DORA)

Findings validated under Article 24(5) must feed directly into the annual review of the ICT risk management framework (Article 6(5)).

Documentation Requirements

Validation methodologies must require comprehensive documentation including:

  • validation procedures and criteria
  • test results and deviations
  • evidence of remediation
  • validation reports and closure forms
  • traceability across test → issue → remediation → validation → closure
  • updates to risk assessments, continuity plans, and architecture

Documentation must be searchable, traceable, complete, and audit-ready, consistent with supervisory expectations under Article 6(5) DORA.

Governance and Oversight

The management body, under Article 5(2) DORA, must:

  • approve the validation methodologies
  • review them periodically
  • receive reports on validation outcomes, including overdue items and systemic gaps
  • ensure sufficient resources, independence, and competence within validation functions

Validation results are also inputs for:

  • internal audit planning
  • supervisory reporting decisions
  • updates to governance, risk, and control structures

Article 24 (5) DORA

Article 24 DORA – General requirements for the performance of digital operational resilience testing