DORAArt. 10voice-validated
DORA Art10: Art. 10
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 10 — Detection: Financial entities must have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. All detection mechanisms shall be regularly tested in accordance with the DORA testing programme.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Detection mechanisms identify anomalous valid account usage, directly supporting Art. 10's requirement for detecting anomalous activities. 2. Unauthorized access via valid accounts requires prompt detection to mitigate incident impact. | 90% |
| T1059 | 1. Monitoring for unusual command and scripting interpreter activity is crucial for detecting malicious execution. 2. Art. 10 mandates prompt detection of ICT-related incidents, which often involve command execution. | 85% |
| T1053 | 1. Detection of newly created or modified scheduled tasks identifies persistence mechanisms. 2. Art. 10 requires mechanisms to promptly detect anomalous activities, including unauthorized persistence. | 80% |
| T1068 | 1. Prompt detection of exploitation attempts for privilege escalation is essential for incident response. 2. Art. 10 mandates detection of ICT-related incidents, with privilege escalation being a critical phase. | 90% |
| T1070 | 1. Detection of indicator removal, such as log clearing, is vital for identifying defense evasion. 2. Art. 10 requires mechanisms to promptly detect anomalous activities, including attempts to hide malicious actions. | 85% |
| T1027 | 1. Detection of obfuscated files or information helps identify hidden malicious payloads. 2. Art. 10's focus on detecting anomalous activities includes identifying sophisticated defense evasion techniques. | 80% |
| T1003 | 1. Prompt detection of OS credential dumping attempts is critical for preventing further compromise. 2. Art. 10 mandates detection of ICT-related incidents, where credential access is a key step. | 90% |
| T1087 | 1. Detection of account discovery activities identifies reconnaissance efforts by attackers. 2. Art. 10 requires mechanisms to promptly detect anomalous activities, including internal network enumeration. | 80% |
| T1046 | 1. Network service discovery detection identifies unauthorized scanning and mapping. 2. Art. 10's requirement for detecting anomalous activities includes unauthorized network reconnaissance. | 85% |
| T1018 | 1. Detection of remote system discovery identifies attempts to map the network topology. 2. Art. 10 mandates prompt detection of anomalous activities, including internal network mapping by adversaries. | 80% |
| T1021 | 1. Detection of unauthorized remote service usage identifies lateral movement. 2. Art. 10 requires mechanisms to promptly detect ICT-related incidents, including unauthorized access across systems. | 85% |
| T1005 | 1. Detection of unusual data access or staging on local systems identifies collection activities. 2. Art. 10 mandates prompt detection of anomalous activities, including data preparation for exfiltration. | 80% |
| T1071 | 1. Detection of anomalous application layer protocol usage identifies command and control communications. 2. Art. 10 requires mechanisms to promptly detect ICT-related incidents, including active C2 channels. | 90% |
| T1041 | 1. Prompt detection of data exfiltration over C2 channels is critical for data loss prevention. 2. Art. 10 mandates detection of ICT-related incidents, with data exfiltration being a severe outcome. | 90% |
| T1486 | 1. Detection of data encryption for impact, such as ransomware, is paramount for incident response. 2. Art. 10 requires prompt detection of ICT-related incidents to minimize business disruption. | 95% |
Defending mitigations · 5
| Mitigation | What it does | Confidence |
|---|---|---|
| M1047 | 1. Audit mechanisms are fundamental for detecting anomalous activities and ICT-related incidents. 2. Art. 10 mandates prompt detection, which relies heavily on comprehensive auditing capabilities. | 95% |
| M1031 | 1. Network intrusion prevention systems detect and block malicious network traffic. 2. Art. 10 requires mechanisms to promptly detect ICT network performance issues and incidents, which IPS addresses. | 90% |
| M1038 | 1. Continuous monitoring and analysis are core to promptly detecting anomalous activities and incidents. 2. Art. 10 explicitly mandates mechanisms for detection, making this mitigation central. | 95% |
| M1048 | 1. Network segmentation limits the scope of incidents and aids in detecting lateral movement. 2. Art. 10's focus on detecting ICT-related incidents benefits from reduced attack surface and improved visibility. | 85% |
| M1028 | 1. Secure operating system configurations reduce vulnerabilities that attackers exploit. 2. Art. 10's detection of anomalous activities is enhanced when systems are configured to prevent common attack vectors. | 80% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Failure to detect anomalous activities can lead to exposure of sensitive information. 2. Art. 10 aims to prevent such outcomes by mandating prompt detection of incidents. | 90% |
| CWE-269 | 1. Improper privilege management creates opportunities for privilege escalation, which detection mechanisms must identify. 2. Art. 10 requires detection of ICT-related incidents, including unauthorized privilege changes. | 85% |
| CWE-306 | 1. Missing authentication allows unauthorized access, necessitating detection of subsequent anomalous activities. 2. Art. 10 mandates prompt detection of ICT-related incidents stemming from such weaknesses. | 80% |
| CWE-732 | 1. Incorrect permission assignments enable unauthorized access or modification, requiring detection. 2. Art. 10's detection mechanisms must identify anomalous activities resulting from permission misconfigurations. | 85% |
| CWE-798 | 1. Hard-coded credentials simplify initial access, making robust detection of subsequent actions critical. 2. Art. 10 requires prompt detection of anomalous activities that exploit such weaknesses. | 80% |
| CWE-400 | 1. Uncontrolled resource consumption directly relates to ICT network performance issues. 2. Art. 10 explicitly requires detection of such performance issues as part of anomalous activities. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0121 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation