# Art. 25 — Testing ICT tools & systems 1. The [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing programme referred to in [Article 24](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-24-general-requirements-for-testing.md) shall provide, in accordance with the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md), for the execution of appropriate tests, such as [vulnerability](https://www.mica.wtf/definitions/definitions/dora/vulnerability) assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing. 2. [Central securities depositories](https://www.mica.wtf/definitions/definitions/dora/central-securities-depository) and [central counterparties](https://www.mica.wtf/definitions/definitions/dora/central-counterparty) shall perform [vulnerability](https://www.mica.wtf/definitions/definitions/dora/vulnerability) assessments before any deployment or redeployment of new or existing applications and infrastructure components, and [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) of the financial entity. 3. [Microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise) shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and of services provided, as well as any other relevant factor, including the financial entity's ability to take calculated risks, on the other hand. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-25-testing-of-ict-tools-and-systems.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.