14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
DORA ↔ GDPR — 32 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| Art. 11 Response and recovery | Art. 32 GDPR-Art32__Q2.2026 | 13 | T1078, T1133, T1547, T1068 |
| Art. 17 ICT-related incident management process | Art. 32 GDPR-Art32__Q2.2026 | 12 | T1078, T1133, T1059, T1068 |
| Art. 10 DORA-Art10__Q2.2026 | Art. 32 GDPR-Art32__Q2.2026 | 11 | T1078, T1059, T1068, T1027 |
| Art. 24 DORA-Art24__Q2.2026 | Art. 32 GDPR-Art32__Q2.2026 | 11 | T1133, T1078, T1059, T1068 |
| Art. 7 DORA-Art7__Q2.2026 | Art. 34 Communication of a personal data breach to the … | 11 | T1190, T1068, T1003.001, T1083 |
| Art. 11 Response and recovery | Art. 33 Notification of a personal data breach to the s… | 10 | T1133, T1547, T1068, T1027 |
| Art. 11 Response and recovery | Art. 35 Data protection impact assessment | 10 | T1547, T1068, T1027, T1003 |
| Art. 17 ICT-related incident management process | Art. 33 Notification of a personal data breach to the s… | 10 | T1133, T1068, T1027, T1070 |
| Art. 28 General principles for ICT third-party risk | Art. 32 GDPR-Art32__Q2.2026 | 10 | T1133, T1078, T1068, T1003 |
| Art. 9 DORA-Art9__Q2.2026 | Art. 25 Data protection by design and by default | 10 | T1003, T1005, T1012, T1016 |
| Art. 10 DORA-Art10__Q2.2026 | Art. 33 Notification of a personal data breach to the s… | 9 | T1068, T1070, T1027, T1003 |
| Art. 10 DORA-Art10__Q2.2026 | Art. 35 Data protection impact assessment | 9 | T1068, T1027, T1003, T1046 |
| Art. 13 Learning and evolving | Art. 32 GDPR-Art32__Q2.2026 | 9 | T1046, T1059, T1071, T1078 |
| Art. 17 ICT-related incident management process | Art. 35 Data protection impact assessment | 9 | T1068, T1027, T1003, T1046 |
| Art. 24 DORA-Art24__Q2.2026 | Art. 33 Notification of a personal data breach to the s… | 9 | T1133, T1190, T1068, T1003 |
| Art. 24 DORA-Art24__Q2.2026 | Art. 35 Data protection impact assessment | 9 | T1190, T1068, T1003, T1027 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 32 GDPR-Art32__Q2.2026 | 9 | T1078, T1059, T1068, T1027 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 5 Principles relating to processing of personal data | 9 | T1190, T1068, T1027, T1003 |
| Art. 28 General principles for ICT third-party risk | Art. 35 Data protection impact assessment | 9 | T1068, T1003, T1046, T1021 |
| Art. 6 DORA-Art6__Q2.2026 | Art. 32 GDPR-Art32__Q2.2026 | 9 | T1078, T1133, T1059, T1068 |
| Art. 11 Response and recovery | Art. 25 Data protection by design and by default | 8 | T1053, T1027, T1036, T1003 |
| Art. 12 Backup policies and recovery methods | Art. 25 Data protection by design and by default | 8 | T1003, T1005, T1011, T1016 |
| Art. 13 Learning and evolving | Art. 25 Data protection by design and by default | 8 | T1071, T1048, T1053, T1003 |
| Art. 25 Advanced testing of ICT tools, systems and proc… | Art. 35 Data protection impact assessment | 8 | T1190, T1068, T1027, T1003 |
| Art. 28 General principles for ICT third-party risk | Art. 33 Notification of a personal data breach to the s… | 8 | T1133, T1068, T1003, T1021 |
Showing top 25 of 84 control pairs.
Show non-overlap — DORA techniques NOT covered by GDPR (28)
T1003.002, T1007, T1008, T1009, T1013, T1018, T1020, T1022, T1031, T1036.003, T1036.005, T1037, T1040, T1048.001, T1048.003, T1049, T1055, T1056, T1057, T1069, T1082, T1087, T1090, T1098, T1098.003, T1195, T1490, T1566.002
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.