Coordinated testing regime requirements


In addition, where no ICT testing is required, vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; remain undetected and result in exposing a financial entity to ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and ultimately create a higher risk to the stability and integrity of the financial sector. Without Union intervention, digital operational resilience testingas defined in Article 24 would continue to be inconsistent and would lack a system of mutual recognition of ICT testing results across different jurisdictions. In addition, as it is unlikely that other financial subsectors would adopt testing schemes on a meaningful scale, they would miss out on the potential benefits of a testing framework, in terms of revealing ICT vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and risks, and testing defence capabilities and business continuity, which contributes to increasing the trust of customers, suppliers and business partners. To remedy those overlaps, divergences and gaps, it is necessary to lay down rules for a coordinated testing regime and thereby facilitate the mutual recognition of advanced testing for financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation.