DORAArt. 12voice-validated
DORA Art12: Art. 12
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities must develop and document backup policies and procedures specifying the scope of data subject to backup and the minimum frequency of backups, based on the criticality of the information and the confidentiality. They must keep redundant ICT capacities equipped with resources, capabilities, and functions sufficient to ensure business needs are met. They must run periodic checks of integrity of backup data and apply data restoration tests at least annually.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1003 | 1. Attackers steal credentials to access backup systems. DORA Art. 12 mandates robust backup policies, ensuring data recovery even if access is compromised. | 80% |
| T1005 | 1. Attackers collect sensitive data from local systems. DORA Art. 12 requires backups of critical information, ensuring data availability despite collection attempts. | 80% |
| T1007 | 1. Attackers delete critical services. DORA Art. 12 mandates redundant ICT capacities and restoration tests, enabling rapid recovery of services. | 70% |
| T1011 | 1. Attackers exfiltrate data over network mediums. DORA Art. 12 requires comprehensive backup policies, ensuring data availability and integrity even after exfiltration. | 80% |
| T1016 | 1. Attackers discover network configurations, potentially identifying backup infrastructure. DORA Art. 12 implies securing backup systems through policy and redundancy. | 60% |
| T1018 | 1. Attackers discover remote systems, including backup servers. DORA Art. 12 requires robust backup policies and redundant capacities, protecting against compromise. | 60% |
| T1021 | 1. Attackers use remote services to compromise backup systems. DORA Art. 12 mandates integrity checks and restoration tests, ensuring backup reliability despite attacks. | 70% |
| T1027 | 1. Attackers obfuscate malicious files, hindering detection. DORA Art. 12 requires periodic integrity checks of backup data, ensuring clean restoration points. | 70% |
| T1031 | 1. Attackers modify existing services, potentially disrupting backup processes. DORA Art. 12 mandates redundant capacities and restoration tests for service recovery. | 70% |
| T1039 | 1. Attackers collect data from network shared drives, potentially including backup shares. DORA Art. 12 requires defining backup scope and integrity checks. | 70% |
| T1041 | 1. Attackers exfiltrate data over C2 channels. DORA Art. 12 requires comprehensive backup policies, ensuring data availability and integrity even after exfiltration. | 80% |
| T1048 | 1. Attackers exfiltrate data using alternative protocols. DORA Art. 12 requires comprehensive backup policies, ensuring data availability and integrity even after exfiltration. | 80% |
| T1070.004 | 1. Attackers delete files to remove traces or cause damage. DORA Art. 12 mandates robust backup policies and restoration tests, enabling data recovery. | 90% |
| T1083 | 1. Attackers discover files and directories to target critical data. DORA Art. 12 requires defining the scope of data subject to backup based on criticality. | 70% |
| T1022 | 1. Attackers encrypt data for defense evasion or impact. DORA Art. 12 mandates robust backup and restoration capabilities, enabling recovery from encryption. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1052 | 1. DORA Art. 12 explicitly requires financial entities to "develop and document backup policies and procedures" and "keep redundant ICT capacities." | 100% |
| M1054 | 1. DORA Art. 12 explicitly requires entities to "run periodic checks of integrity of backup data." | 100% |
| M1055 | 1. DORA Art. 12 explicitly requires entities to "apply data restoration tests at least annually." | 100% |
| M1017 | 1. Network segmentation isolates backup infrastructure, protecting redundant capacities as mandated by DORA Art. 12 from unauthorized access. | 90% |
| M1019 | 1. Privileged account management secures access to backup systems, protecting the integrity and availability of data required by DORA Art. 12. | 90% |
| M1053 | 1. Data encryption protects the confidentiality and integrity of backup data, aligning with DORA Art. 12's focus on critical information and confidentiality. | 90% |
| M1050 | 1. Auditing monitors backup activities and access, ensuring compliance with DORA Art. 12's policies and procedures for data integrity and restoration. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Exposure of sensitive backup data undermines DORA Art. 12's requirement for confidentiality of critical information. | 90% |
| CWE-284 | 1. Improper access control allows unauthorized manipulation of backups, directly violating DORA Art. 12's integrity and restoration requirements. | 90% |
| CWE-311 | 1. Missing encryption for sensitive backup data compromises confidentiality, directly conflicting with DORA Art. 12's focus on critical information. | 90% |
| CWE-345 | 1. Insufficient verification of data authenticity directly undermines DORA Art. 12's mandate for "periodic checks of integrity of backup data." | 90% |
| CWE-732 | 1. Incorrect permissions allow unauthorized modification or deletion of backup files, directly impacting the availability and integrity required by DORA Art. 12. | 80% |
| CWE-798 | 1. Hard-coded credentials compromise backup system access, undermining the security measures implied by DORA Art. 12 for data protection. | 80% |
| CWE-862 | 1. Missing authorization allows unauthorized actions on backup systems, directly jeopardizing the integrity and availability mandated by DORA Art. 12. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0184 compute · voice-rubric self-validated