§ DORA · Article 27

DORA Article 27: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 27 · All obligations · DORA
At a glance
Article 27 of the DORA imposes 9 obligations on financial entities.
§ Obligations

All obligations under Article 27

Obligation 1
Financial entities shall only use testers for the carrying out of TLPT that are of the highest suitability and reputability. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 2
Financial entities shall only use testers for the carrying out of TLPT that possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 3
Financial entities shall only use testers for the carrying out of TLPT that are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 4
Financial entities shall only use testers for the carrying out of TLPT that provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 5
Financial entities shall only use testers for the carrying out of TLPT that are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 6
When using internal testers, financial entities shall ensure that such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10). Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
Obligation 7
When using internal testers, financial entities shall ensure that the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
Obligation 8
When using internal testers, financial entities shall ensure that the threat intelligence provider is external to the financial entity. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
Obligation 9
Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof do not create risks to the financial entity. Regulation (EU) 2022/2554, Article 27, Article 27
Obligated entity
financial entities
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
§ Frequently asked

Questions about Article 27

Who must comply with Article 27 of the DORA? +
financial entities.
What does Article 27 of the DORA require? +
use ensure
Need a cross-border briefing on DORA Article 27?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles