Article 8 Testing and capacity

A data reporting services provider shall implement clearly delineated development and testing methodologies, ensuring that:

1. (a)

   the operation of the IT systems satisfies the data reporting services provider's regulatory obligations;

2. (b)

   compliance and risk management controls embedded in IT systems work as intended;

3. (c)

   the IT systems can continue to work effectively at all times.

A data reporting services provider shall also use the methodologies referred to in paragraph 1 prior to and following the deployment of any updates of the IT systems.

A data reporting services provider shall promptly notify the competent authority of any planned significant changes to the IT system prior to their implementation.

A data reporting services provider shall set up an on-going programme for periodically reviewing and, where needed, modifying the development and testing methodologies.

A data reporting services provider shall run stress tests periodically at least on an annual basis. A data reporting services provider shall include in the adverse scenarios of the stress test unexpected behaviour of critical constituent elements of its systems and communication lines. The stress testing shall identify how hardware, software and communications respond to potential threats, specifying systems unable to cope with the adverse scenarios. A data reporting services provider shall take measures to address identified shortcomings in those systems.

A data reporting services provider shall:

1. (a)

   have sufficient capacity to perform its functions without outages or failures, including missing or incorrect data;

2. (b)

   have sufficient scalability to accommodate without undue delay any increase in the amount of information to be processed and in the number of access requests from its clients.