DORAArt. 11voice-validated
DORA Art11: Art. 11
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities must put in place a comprehensive ICT business continuity policy, implemented through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms. The policy aims to: ensure continuity of critical or important functions; respond to ICT-related incidents quickly, efficiently, and appropriately; activate dedicated ICT response and recovery plans; estimate impact, damage, and losses; quickly resume critical functions following disruption.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Compromised valid accounts enable unauthorized access, directly undermining the continuity of critical functions as mandated by Art. 11. | 90% |
| T1133 | 1. Exploitation of external remote services provides initial access, disrupting critical functions and necessitating rapid incident response as per Art. 11. | 85% |
| T1547 | 1. Persistence via autostart mechanisms hinders recovery efforts, directly conflicting with Art. 11's requirement for quick resumption of critical functions. | 80% |
| T1053 | 1. Malicious scheduled tasks establish persistence, complicating incident response and delaying the resumption of critical functions, as addressed in Art. 11. | 80% |
| T1068 | 1. Privilege escalation allows attackers to cause severe disruption, directly impacting the continuity of critical functions and requiring robust response plans under Art. 11. | 85% |
| T1027 | 1. Obfuscation evades detection, delaying incident response and recovery, which Art. 11 mandates to be quick and efficient. | 80% |
| T1036 | 1. Masquerading hides malicious activity, complicating incident identification and response, thereby impeding the efficient response required by Art. 11. | 75% |
| T1003 | 1. Stolen credentials enable broader system compromise, directly threatening the continuity of critical functions and requiring comprehensive response under Art. 11. | 85% |
| T1087 | 1. Account discovery identifies targets for further attacks, increasing the risk of disruption to critical functions, which Art. 11 aims to ensure continuity for. | 70% |
| T1046 | 1. Network service scanning identifies vulnerabilities for exploitation, leading to potential disruptions that Art. 11 requires financial entities to respond to. | 70% |
| T1021 | 1. Lateral movement via remote services expands attack impact, complicating incident response and delaying the resumption of critical functions as per Art. 11. | 80% |
| T1005 | 1. Collection of local data precedes exfiltration or destruction, directly impacting data integrity and requiring recovery measures outlined in Art. 11. | 75% |
| T1071 | 1. Command and control via application layer protocols makes detection difficult, hindering incident response and recovery efforts mandated by Art. 11. | 75% |
| T1041 | 1. Data exfiltration causes significant damage and loss, directly impacting the financial entity's ability to resume critical functions quickly, as required by Art. 11. | 85% |
| T1486 | 1. Ransomware attacks directly disrupt continuity by encrypting data, necessitating robust recovery plans and quick resumption of functions under Art. 11. | 95% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. MFA prevents unauthorized access to critical systems, directly supporting the continuity of critical functions as required by Art. 11. | 90% |
| M1035 | 1. Limiting access reduces the attack surface, aiding in containing ICT-related incidents and facilitating quicker recovery, as mandated by Art. 11. | 85% |
| M1040 | 1. Network segmentation contains breaches, preventing widespread disruption and enabling efficient incident response and recovery of critical functions per Art. 11. | 85% |
| M1047 | 1. Comprehensive auditing detects malicious activity, providing essential data for quick, efficient incident response and impact estimation, as specified in Art. 11. | 90% |
| M1050 | 1. Auditing privileges identifies misuse, supporting incident response and preventing disruptions to critical functions, aligning with Art. 11. | 80% |
| M1051 | 1. Data backup is fundamental for quickly resuming critical functions following disruption, a core requirement of Art. 11. | 95% |
| M1057 | 1. Proactive vulnerability scanning identifies weaknesses, preventing ICT-related incidents and ensuring the continuity of critical functions as per Art. 11. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Exposure of sensitive information can lead to data breaches, directly impacting the ability to ensure continuity and requiring recovery measures under Art. 11. | 85% |
| CWE-287 | 1. Improper authentication allows unauthorized access, directly threatening the continuity of critical functions and necessitating robust response plans as per Art. 11. | 90% |
| CWE-306 | 1. Lack of authentication for critical functions enables attackers to bypass security, leading to disruption and hindering the quick resumption of services mandated by Art. 11. | 85% |
| CWE-400 | 1. Uncontrolled resource consumption can lead to denial of service, directly impacting the continuity of critical functions and requiring efficient incident response under Art. 11. | 80% |
| CWE-502 | 1. Deserialization vulnerabilities can lead to remote code execution, causing significant disruption and impeding the quick resumption of critical functions as per Art. 11. | 75% |
| CWE-787 | 1. Out-of-bounds writes can cause system crashes or arbitrary code execution, directly disrupting critical functions and requiring recovery plans as specified in Art. 11. | 75% |
| CWE-798 | 1. Hard-coded credentials enable unauthorized access and persistence, undermining security and complicating incident response and recovery efforts mandated by Art. 11. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0183 compute · voice-rubric self-validated