{
  "tool_id": "art-29-dora-readiness-diagnostic",
  "note": "golden_hash empty until first `node golden-parity.test.mjs --update`.",
  "vectors": [
    {
      "name": "default-inputs",
      "policy_parameters": {},
      "output_payload": {
        "score_pct": 0,
        "grade": "F",
        "grade_title": "Stop",
        "domain_scores": [
          {
            "label": "ICT Risk Management",
            "articles": "Art. 5–16",
            "pct": 0,
            "grade": "F"
          },
          {
            "label": "Incident Classification & Reporting",
            "articles": "Art. 17–23",
            "pct": 0,
            "grade": "F"
          },
          {
            "label": "Resilience Testing",
            "articles": "Art. 24–27",
            "pct": 0,
            "grade": "F"
          },
          {
            "label": "Third-Party Risk",
            "articles": "Art. 28–30",
            "pct": 0,
            "grade": "F"
          }
        ],
        "gaps_count": 12,
        "gaps": [
          {
            "question": "Is there a board-approved ICT risk framework mapped to DORA Articles 5–16?",
            "domain": "ICT Risk Management",
            "severity": "no",
            "articles": "Art. 5–16"
          },
          {
            "question": "Are critical or important functions (CIFs) formally identified and documented?",
            "domain": "ICT Risk Management",
            "severity": "no",
            "articles": "Art. 5–16"
          },
          {
            "question": "Has proportionality been assessed and documented for your entity class?",
            "domain": "ICT Risk Management",
            "severity": "no",
            "articles": "Art. 5–16"
          },
          {
            "question": "Can you classify a major ICT incident against the DORA criteria within the reporting clock?",
            "domain": "Incident Classification & Reporting",
            "severity": "no",
            "articles": "Art. 17–23"
          },
          {
            "question": "Are NCA submission templates and deadlines tracked end-to-end?",
            "domain": "Incident Classification & Reporting",
            "severity": "no",
            "articles": "Art. 17–23"
          },
          {
            "question": "Is there a tested escalation runbook from detection to initial notification?",
            "domain": "Incident Classification & Reporting",
            "severity": "no",
            "articles": "Art. 17–23"
          },
          {
            "question": "Is there a risk-based digital operational resilience testing programme (not just annual pen tests)?",
            "domain": "Resilience Testing",
            "severity": "no",
            "articles": "Art. 24–27"
          },
          {
            "question": "If in scope, is TLPT (threat-led penetration testing) scoped and scheduled?",
            "domain": "Resilience Testing",
            "severity": "no",
            "articles": "Art. 24–27"
          },
          {
            "question": "Are test findings tracked to closure with board visibility?",
            "domain": "Resilience Testing",
            "severity": "no",
            "articles": "Art. 24–27"
          },
          {
            "question": "Is the register of information for all ICT third-party arrangements complete and current?",
            "domain": "Third-Party Risk",
            "severity": "no",
            "articles": "Art. 28–30"
          },
          {
            "question": "Do critical ICT contracts contain the DORA-mandated provisions (audit, exit, sub-outsourcing)?",
            "domain": "Third-Party Risk",
            "severity": "no",
            "articles": "Art. 28–30"
          },
          {
            "question": "Is ICT concentration risk measured and reported (single-provider dependencies)?",
            "domain": "Third-Party Risk",
            "severity": "no",
            "articles": "Art. 28–30"
          }
        ],
        "all_answered": false,
        "supervisory_exposure": true,
        "immediate_action_required": true,
        "incident_route_recommended": true,
        "regulatory_framework": "DORA (EU) 2022/2554 · EBA/ESMA/EIOPA RTS on ICT risk management · JC 2023 83",
        "applicable_deadline_note": "DORA in force January 2025 — ~22,000 in-scope entities across the EU"
      },
      "golden_hash": "c34aabf716c7cda4e36107a4e0838f3cbb19d29c508aede056c077bcb4d3b8fa"
    },
    {
      "name": "all-yes-grade-a",
      "note": "All 12 DORA questions answered yes. score_pct=100, grade=A. Auto path for dora-escalation-demo: gate does NOT fire escalation.",
      "policy_parameters": {
        "answers": {
          "q1": "yes",
          "q2": "yes",
          "q3": "yes",
          "q4": "yes",
          "q5": "yes",
          "q6": "yes",
          "q7": "yes",
          "q8": "yes",
          "q9": "yes",
          "q10": "yes",
          "q11": "yes",
          "q12": "yes"
        }
      },
      "output_payload": {
        "score_pct": 100,
        "grade": "A",
        "grade_title": "Review-ready",
        "domain_scores": [
          {
            "label": "ICT Risk Management",
            "articles": "Art. 5–16",
            "pct": 100,
            "grade": "A"
          },
          {
            "label": "Incident Classification & Reporting",
            "articles": "Art. 17–23",
            "pct": 100,
            "grade": "A"
          },
          {
            "label": "Resilience Testing",
            "articles": "Art. 24–27",
            "pct": 100,
            "grade": "A"
          },
          {
            "label": "Third-Party Risk",
            "articles": "Art. 28–30",
            "pct": 100,
            "grade": "A"
          }
        ],
        "gaps_count": 0,
        "gaps": [],
        "all_answered": true,
        "supervisory_exposure": false,
        "immediate_action_required": false,
        "incident_route_recommended": false,
        "regulatory_framework": "DORA (EU) 2022/2554 · EBA/ESMA/EIOPA RTS on ICT risk management · JC 2023 83",
        "applicable_deadline_note": "DORA in force January 2025 — ~22,000 in-scope entities across the EU"
      },
      "golden_hash": "02a1be81b726504818998f3e2c10c7a699408dba8e3d3c426d26a6a51a025b6a"
    }
  ]
}
