14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
DORA ↔ EU AI Act — 18 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| Art. 10 DORA-Art10__Q2.2026 | Art. 15 Accuracy, robustness and cybersecurity | 9 | T1078, T1068, T1070, T1027 |
| Art. 11 Response and recovery | Art. 10 Data and data governance | 9 | T1078, T1547, T1068, T1027 |
| Art. 11 Response and recovery | Art. 15 Accuracy, robustness and cybersecurity | 9 | T1078, T1547, T1068, T1027 |
| Art. 17 ICT-related incident management process | Art. 15 Accuracy, robustness and cybersecurity | 9 | T1078, T1068, T1027, T1070 |
| Art. 10 DORA-Art10__Q2.2026 | Art. 10 Data and data governance | 8 | T1078, T1068, T1027, T1003 |
| Art. 13 Learning and evolving | Art. 15 Accuracy, robustness and cybersecurity | 8 | T1087, T1071, T1078, T1003 |
| Art. 17 ICT-related incident management process | Art. 10 Data and data governance | 8 | T1078, T1068, T1027, T1003 |
| Art. 24 DORA-Art24__Q2.2026 | Art. 10 Data and data governance | 8 | T1190, T1078, T1068, T1003 |
| Art. 24 DORA-Art24__Q2.2026 | Art. 15 Accuracy, robustness and cybersecurity | 8 | T1190, T1078, T1068, T1003 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 10 Data and data governance | 8 | T1190, T1078, T1068, T1027 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 15 Accuracy, robustness and cybersecurity | 8 | T1190, T1078, T1068, T1027 |
| Art. 7 DORA-Art7__Q2.2026 | Art. 10 Data and data governance | 8 | T1190, T1068, T1083, T1005 |
| Art. 28 General principles for ICT third-party risk | Art. 10 Data and data governance | 7 | T1078, T1068, T1003, T1005 |
| Art. 28 General principles for ICT third-party risk | Art. 15 Accuracy, robustness and cybersecurity | 7 | T1078, T1068, T1003, T1087 |
| Art. 6 DORA-Art6__Q2.2026 | Art. 15 Accuracy, robustness and cybersecurity | 7 | T1078, T1068, T1027, T1070 |
| Art. 13 Learning and evolving | Art. 10 Data and data governance | 6 | T1071, T1078, T1003, T1027 |
| Art. 7 DORA-Art7__Q2.2026 | Art. 15 Accuracy, robustness and cybersecurity | 6 | T1190, T1068, T1083, T1005 |
| Art. 10 DORA-Art10__Q2.2026 | Art. 12 Record keeping | 5 | T1059, T1003, T1087, T1071 |
| Art. 12 Backup policies and recovery methods | Art. 10 Data and data governance | 5 | T1003, T1005, T1027, T1041 |
| Art. 12 Backup policies and recovery methods | Art. 15 Accuracy, robustness and cybersecurity | 5 | T1003, T1005, T1027, T1041 |
| Art. 13 Learning and evolving | Art. 12 Record keeping | 5 | T1087, T1059, T1071, T1003 |
| Art. 14 Communication | Art. 10 Data and data governance | 5 | T1566, T1078, T1041, T1003 |
| Art. 14 Communication | Art. 15 Accuracy, robustness and cybersecurity | 5 | T1566, T1078, T1041, T1003 |
| Art. 17 ICT-related incident management process | Art. 12 Record keeping | 5 | T1059, T1003, T1087, T1071 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 12 Record keeping | 5 | T1059, T1547.001, T1003, T1087 |
Showing top 25 of 42 control pairs.
Show non-overlap — DORA techniques NOT covered by EU AI Act (42)
T1003.001, T1003.002, T1007, T1008, T1009, T1011, T1012, T1013, T1016, T1018, T1020, T1021, T1021.001, T1022, T1031, T1033, T1036, T1036.003, T1036.005, T1037, T1039, T1040, T1046, T1047, T1048, T1048.001, T1048.003, T1049, T1053, T1055, T1056, T1057, T1069, T1071.001, T1082, T1090, T1098, T1098.003, T1133, T1195, T1566.001, T1566.002
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.