# Art. 24 — General testing requirements

1. For the purpose of assessing preparedness for handling [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), of identifying weaknesses, deficiencies and gaps in [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience), and of promptly implementing corrective measures, financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall, taking into account the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md), establish, maintain and review a sound and comprehensive [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing programme as an integral part of the ICT risk-management framework referred to in [Article 6](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md).
2. The [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with [Article 25](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-25-testing-of-ict-tools-and-systems.md) and [Article 26](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-26-advanced-testing-tlpt.md).
3. When conducting the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing programme referred to in paragraph 1 of this Article, financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall follow a risk-based approach taking into account the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md) duly considering the evolving landscape of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), any specific risks to which the financial entity concerned is or might be exposed, the criticality of [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and of services provided, as well as any other factor the financial entity deems appropriate.
4. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
5. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
6. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-24-general-requirements-for-testing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.