14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
NIST CSF ↔ GDPR — 31 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| RESPOND RESPOND (RS) — Take action regarding a detected… | Art. 34 Communication of a personal data breach to the … | 12 | T1190, T1068, T1070.004, T1003.001 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 33 Notification of a personal data breach to the s… | 11 | T1190, T1566, T1547, T1068 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 35 Data protection impact assessment | 11 | T1190, T1566, T1547, T1068 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 32 GDPR-Art32__Q2.2026 | 10 | T1059, T1547, T1068, T1027 |
| RESPOND RESPOND (RS) — Take action regarding a detected… | Art. 5 Principles relating to processing of personal data | 9 | T1190, T1053.005, T1068, T1087.001 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 32 GDPR-Art32__Q2.2026 | 8 | T1078, T1133, T1068, T1027 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 5 Principles relating to processing of personal data | 7 | T1053.005, T1068, T1027, T1003 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 32 GDPR-Art32__Q2.2026 | 7 | T1046, T1083, T1003, T1036 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 35 Data protection impact assessment | 7 | T1046, T1083, T1003, T1190 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 33 Notification of a personal data breach to the s… | 6 | T1133, T1068, T1027, T1003 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 34 Communication of a personal data breach to the … | 6 | T1547.001, T1068, T1070.004, T1021.001 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 35 Data protection impact assessment | 6 | T1068, T1027, T1003, T1046 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 25 Data protection by design and by default | 6 | T1033, T1003, T1036, T1053 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 33 Notification of a personal data breach to the s… | 6 | T1083, T1003, T1190, T1021 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 5 Principles relating to processing of personal data | 6 | T1190, T1068, T1027, T1003 |
| RECOVER RECOVER (RC) — Restore assets and operations af… | Art. 5 Principles relating to processing of personal data | 6 | T1485, T1562.001, T1005, T1041 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 25 Data protection by design and by default | 5 | T1027, T1003, T1021, T1005 |
| RESPOND RESPOND (RS) — Take action regarding a detected… | Art. 33 Notification of a personal data breach to the s… | 5 | T1190, T1068, T1005, T1041 |
| RESPOND RESPOND (RS) — Take action regarding a detected… | Art. 35 Data protection impact assessment | 5 | T1190, T1068, T1005, T1041 |
| GOVERN GOVERN (GV) — Establish and monitor the cyberse… | Art. 25 Data protection by design and by default | 4 | T1027, T1003, T1005, T1041 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 34 Communication of a personal data breach to the … | 4 | T1083, T1190, T1005, T1486 |
| IDENTIFY IDENTIFY (ID) — Understand organisational cyber… | Art. 5 Principles relating to processing of personal data | 4 | T1003, T1190, T1005, T1486 |
| PROTECT PROTECT (PR) — Use safeguards to manage cyberse… | Art. 34 Communication of a personal data breach to the … | 4 | T1190, T1068, T1005, T1486 |
| RESPOND RESPOND (RS) — Take action regarding a detected… | Art. 32 GDPR-Art32__Q2.2026 | 4 | T1068, T1005, T1041, T1486 |
| DETECT DETECT (DE) — Find and analyse possible cyberse… | Art. 34 Communication of a personal data breach to the … | 3 | T1003.001, T1021.001, T1005 |
Showing top 25 of 36 control pairs.
Show non-overlap — NIST CSF techniques NOT covered by GDPR (27)
T1004, T1009, T1011.001, T1014, T1015, T1018, T1035, T1036.003, T1037.001, T1038, T1048.003, T1049, T1055, T1056, T1087, T1098, T1195, T1490, T1491, T1498, T1529, T1531, T1552.001, T1561.001, T1561.002, T1565.001, T1595
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.