14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
GDPR ↔ PCI DSS v4 — 19 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| Art. 33 Notification of a personal data breach to the s… | Requirement 3 Protect Stored Account Data | 10 | T1190, T1566, T1068, T1027 |
| Art. 35 Data protection impact assessment | Requirement 11 Test Security of Systems and Networks Regularly | 10 | T1190, T1547, T1068, T1003 |
| Art. 35 Data protection impact assessment | Requirement 3 Protect Stored Account Data | 10 | T1190, T1566, T1068, T1027 |
| Art. 32 GDPR-Art32__Q2.2026 | Requirement 11 Test Security of Systems and Networks Regularly | 9 | T1547, T1068, T1003, T1083 |
| Art. 32 GDPR-Art32__Q2.2026 | Requirement 4 Protect Cardholder Data with Strong Cryptograph… | 9 | T1078, T1133, T1068, T1003 |
| Art. 33 Notification of a personal data breach to the s… | Requirement 11 Test Security of Systems and Networks Regularly | 9 | T1190, T1547, T1068, T1003 |
| Art. 33 Notification of a personal data breach to the s… | Requirement 4 Protect Cardholder Data with Strong Cryptograph… | 9 | T1133, T1190, T1566, T1068 |
| Art. 35 Data protection impact assessment | Requirement 4 Protect Cardholder Data with Strong Cryptograph… | 9 | T1190, T1566, T1068, T1003 |
| Art. 34 Communication of a personal data breach to the … | Requirement 3 Protect Stored Account Data | 8 | T1190, T1547.001, T1068, T1070.004 |
| Art. 5 Principles relating to processing of personal data | Requirement 3 Protect Stored Account Data | 8 | T1190, T1068, T1027, T1003 |
| Art. 32 GDPR-Art32__Q2.2026 | Requirement 10 Log and Monitor All Access to System Components… | 7 | T1078, T1003, T1021, T1005 |
| Art. 32 GDPR-Art32__Q2.2026 | Requirement 3 Protect Stored Account Data | 7 | T1068, T1027, T1003, T1083 |
| Art. 33 Notification of a personal data breach to the s… | Requirement 10 Log and Monitor All Access to System Components… | 7 | T1190, T1003, T1021, T1005 |
| Art. 35 Data protection impact assessment | Requirement 10 Log and Monitor All Access to System Components… | 7 | T1190, T1003, T1021, T1005 |
| Art. 25 Data protection by design and by default | Requirement 10 Log and Monitor All Access to System Components… | 5 | T1003, T1005, T1021, T1041 |
| Art. 25 Data protection by design and by default | Requirement 11 Test Security of Systems and Networks Regularly | 5 | T1003, T1005, T1021, T1041 |
| Art. 25 Data protection by design and by default | Requirement 4 Protect Cardholder Data with Strong Cryptograph… | 5 | T1003, T1005, T1021, T1041 |
| Art. 32 GDPR-Art32__Q2.2026 | Requirement 8 Identify Users and Authenticate Access to Syste… | 5 | T1078, T1133, T1003, T1021 |
| Art. 34 Communication of a personal data breach to the … | Requirement 11 Test Security of Systems and Networks Regularly | 5 | T1190, T1068, T1083, T1005 |
| Art. 5 Principles relating to processing of personal data | Requirement 10 Log and Monitor All Access to System Components… | 5 | T1190, T1003, T1005, T1041 |
| Art. 5 Principles relating to processing of personal data | Requirement 11 Test Security of Systems and Networks Regularly | 5 | T1190, T1068, T1003, T1005 |
| Art. 5 Principles relating to processing of personal data | Requirement 4 Protect Cardholder Data with Strong Cryptograph… | 5 | T1190, T1068, T1003, T1005 |
| Art. 25 Data protection by design and by default | Requirement 3 Protect Stored Account Data | 4 | T1003, T1005, T1027, T1041 |
| Art. 33 Notification of a personal data breach to the s… | Requirement 8 Identify Users and Authenticate Access to Syste… | 4 | T1133, T1003, T1021, T1071 |
| Art. 34 Communication of a personal data breach to the … | Requirement 10 Log and Monitor All Access to System Components… | 4 | T1190, T1005, T1041, T1486 |
Showing top 25 of 29 control pairs.
Show non-overlap — GDPR techniques NOT covered by PCI DSS v4 (24)
T1001, T1003.001, T1003.003, T1011, T1012, T1016, T1021.001, T1027.002, T1033, T1036, T1047, T1048, T1053, T1053.005, T1059, T1059.003, T1070, T1071.001, T1074, T1087.001, T1136.001, T1530, T1562.001, T1566.001
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.