Digital Operational Resilience Act (DORA), Article 24, Requirements for testers.
1. Financial entities shall only use testers for the deployment of threat led penetration testing, which:
(a) are of the highest suitability and reputability;
(b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing or red team testing;
(c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
(d) in case of external testers, provide an independent assurance or an audit report in relation to the sound management of risks associated with the execution of threat led penetration testing, including the proper protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
(e) in case of external testers, are dully and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
2. Financial entities shall ensure that agreements concluded with external testers require a sound management of the threat led penetration testing results and that any processing thereof, including any generation, draft, store, aggregation, report, communication or destruction, do not create risks to the financial entity.