In recent years, test management of financial institutions has been able to adopt and to comply with the Insurance Supervisory Requirements for IT (VAIT), particularly concerning the aspects of IT security and operational reliability of their productive systems. The VAIT imposes specific requirements on test management to ensure that IT systems are adequately tested and released. The pursued VAIT compliance from the test-management perspective consists of the following main tasks:
The previous VAIT regulations are now integrated and refined with the introduction of DORA.
With the introduction of DORA, financial institutions are focusing their test-management activities on a risk-based proportional testing approach for their newly implemented ICT business continuity plans (ICT-BCP ≈ Information-Communication-Technology—Business-Continuity-Plan).
The Federal Financial Supervisory Authority (BAFIN) has provided additional guidance for the interpretation of DORA. However, the essential VAIT requirements for financial institutions have been adopted by DORA-Regulations.
The potential impact on test management for financial institutions is explained below according to 2 DORA articles:
Financial institutions shall assess their readiness to handle ICT-related incidents, potential risks, and identify weaknesses and gaps in their digital resilience.
Companies are required to establish a risk-based testing program to verify the effectiveness and correctness of their information and communication technology. There for methods, procedures, and tools shall be applied in accordance with Articles 25 and 26 of DORA.
The results of these tests are intended to implement potential correction measurements to improve digital operational resilience.
During the test-execution, it is important to ensure that tests are conducted by independent, internal, or external staff. If the tests are conducted internally, it is necessary to provide sufficient capacity.
Financial institutions shall establish procedures and guidelines for prioritizing, classifying, and resolving any issues (defects) identified during testing. Internal validation methods shall ensure that any weaknesses, deficiencies, or gaps identified are fully addressed.
Financial institutions shall ensure that all ICT systems and applications supporting critical or important functions are subject to appropriate testing at least annually.
For further detailed information, the full DORA text and further evidence for implementation (BAFIN) can be found at:
🔗 Bafin.de/Publication/EN/Guidance/DORA
🔗 Bafin.de/Aufsichtsmitteilung/Umsetzungshinweise_DORA.html
GENERAL GUIDELINES FOR TESTING OF ICT-BUSINESS CONTINUITY PLANS (ARTICLE 25)
This standard establishes specific requirements for testing scenarios aimed to identify vulnerabilities and to strengthen the resilience of ICT-systems as basis for the ICT-BCP. The digital resilience testing program shall include appropriate tests, such as vulnerability assessments, open-source analyses, and network security assessments.
The ICT Business Continuity Plan (ICT-BCP) is one of the core items of the digital resilience strategy. Financial institutions are required to systematically document all test results, analyze vulnerabilities, and report them to the management body.
To comply with audit-proof standards, the duty of documentation contains the following items:
A sound quality-management is based on documented processes for all ICT-Systems, being tested and with a proofed effectiveness.
Starting from this level implemented ICT-BCP shall be tested and verified on a regular basis. Measures for improvement can be derived from the respective results.
Reducing or even avoiding liabilities for the management body, and finally a good preparation for DORA-audits by the authorities (BAFIN).
It is emphasized that missing or uncomplete documentation of before-mentioned qualifications are resulting in a Non-Compliance of DORA.
There are several further hints for instructions to implement a DORA-complaint Quality- and Risk Management. At SYVE as a consultancy, we are supporting all stages and levels of relevant testing-processes. We see Software Quality Assurance as more than bug-finding-it’s about building trust. Test Management is the bridge between compliance and quality, guiding every testing phase from risk-based planning to resilience checks. With deep experience in Germany’s insurance and financial sectors, we help turn regulatory pressure into a competitive advantage.