DORAArt. 14voice-validated
DORA Art14: Art. 14
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities must implement communication policies for clients, counterparts and the public regarding ICT-related incidents or vulnerabilities. The policies must distinguish between staff communications, the public, clients, counterparts and other financial entities, and competent authorities. They must designate at least one person in charge of implementing the communication strategy.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1566 | 1. Attackers conduct phishing to obtain sensitive information. 2. Weak or absent communication policies (DORA Art. 14) increase the success rate of social engineering by making it difficult for recipients to distinguish legitimate from malicious communications. | 90% |
| T1566.001 | 1. Spearphishing with malicious attachments relies on convincing recipients. 2. Undefined communication channels and protocols (DORA Art. 14) make it harder for employees to identify suspicious attachments, increasing the risk of initial access. | 80% |
| T1566.002 | 1. Spearphishing with malicious links exploits trust. 2. Lack of clear communication policies (DORA Art. 14) regarding official links and warnings about external links facilitates successful credential harvesting or malware delivery. | 80% |
| T1098 | 1. Account manipulation involves unauthorized changes to user accounts. 2. Poorly defined communication policies (DORA Art. 14) can lead to unauthorized personnel making changes or attackers exploiting communication channels to facilitate account takeover. | 70% |
| T1098.003 | 1. Attackers create mail forwarding rules to intercept communications. 2. Absence of clear communication policies (DORA Art. 14) and monitoring for unauthorized email redirection allows attackers to covertly collect information. | 70% |
| T1071.001 | 1. Attackers use web protocols for command and control or data exfiltration. 2. Inadequate communication policies (DORA Art. 14) during an incident can delay detection and response to such covert web-based activities. | 60% |
| T1078 | 1. Valid accounts enable attackers to operate undetected. 2. If communication policies (DORA Art. 14) lack strict access controls or clear roles for communication, compromised valid accounts can be used to send unauthorized messages. | 70% |
| T1040 | 1. Network sniffing captures network traffic. 2. A lack of clear communication policies (DORA Art. 14) for secure channels can lead to sensitive information being transmitted over unencrypted networks, making it vulnerable to sniffing. | 60% |
| T1020 | 1. Automated exfiltration involves data transfer over C2 channels. 2. Inadequate communication policies (DORA Art. 14) during incident response can delay the identification and blocking of exfiltration channels, allowing data loss. | 60% |
| T1041 | 1. Exfiltration over C2 channel involves data transfer via established C2. 2. Poor communication policies (DORA Art. 14) can hinder rapid incident response, prolonging the window for attackers to exfiltrate data through covert channels. | 60% |
| T1048 | 1. Exfiltration over alternative physical medium involves data transfer via non-network means. 2. Lack of clear communication policies (DORA Art. 14) regarding incident reporting and physical security can allow unauthorized data removal. | 70% |
| T1048.003 | 1. Exfiltration over alternative protocol involves data transfer via non-standard protocols. 2. Inadequate communication policies (DORA Art. 14) for incident detection and response can delay identifying and stopping such covert exfiltration. | 70% |
| T1003 | 1. Credential dumping extracts credentials from memory or storage. 2. While not directly related to communication policies, a failure in incident communication (DORA Art. 14) can delay response, allowing attackers more time to dump credentials. | 50% |
| T1083 | 1. File and directory discovery identifies valuable data. 2. Inadequate communication policies (DORA Art. 14) for data classification and handling can lead to sensitive information being stored in easily discoverable locations. | 60% |
| T1018 | 1. Remote system discovery identifies accessible systems. 2. Poor internal communication policies (DORA Art. 14) about network architecture or system ownership can inadvertently aid attackers in mapping the network. | 50% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Incident response plans define communication protocols. 2. DORA Art. 14 mandates communication policies for incidents, directly aligning with the need for structured incident response to manage information flow. | 90% |
| M1047 | 1. Audit logging captures system events. 2. Effective communication policies (DORA Art. 14) rely on monitoring for unauthorized communication attempts or policy breaches, which audit logs can help detect. | 80% |
| M1035 | 1. User training educates employees on security practices. 2. DORA Art. 14 requires clear communication policies; training ensures staff understand and adhere to these policies, reducing social engineering success. | 80% |
| M1017 | 1. User account management controls account creation and privileges. 2. DORA Art. 14's requirement for designated communication personnel necessitates robust account management to prevent unauthorized communication. | 70% |
| M1028 | 1. Operating system configuration hardens systems. 2. Secure configuration of communication platforms, guided by DORA Art. 14 policies, prevents attackers from exploiting misconfigurations for unauthorized communications. | 70% |
| M1032 | 1. Multi-factor authentication adds security layers. 2. Protecting accounts of designated communication personnel (DORA Art. 14) with MFA prevents unauthorized access and subsequent misuse of official communication channels. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Information exposure occurs when sensitive data is disclosed. 2. DORA Art. 14 directly addresses this by requiring policies to manage communication of ICT-related incidents and vulnerabilities, preventing inappropriate disclosure. | 90% |
| CWE-532 | 1. Information exposure through log files can reveal sensitive data. 2. DORA Art. 14's emphasis on controlled communication extends to how incident details are logged and shared, preventing unintended exposure. | 80% |
| CWE-798 | 1. Use of hard-coded credentials bypasses proper authentication. 2. While not directly about communication, weak security practices like this can compromise accounts, leading to unauthorized communications, which DORA Art. 14 aims to prevent. | 70% |
| CWE-284 | 1. Improper access control allows unauthorized actions. 2. DORA Art. 14 mandates designating a person for communication, implying strict access control over who can issue official statements during incidents. | 80% |
| CWE-668 | 1. Exposure of resource to wrong sphere occurs when data is accessible to unintended parties. 2. DORA Art. 14 explicitly requires distinguishing communication audiences, directly mitigating this weakness by controlling information flow. | 70% |
| CWE-1007 | 1. Insufficient logging of errors or events hinders incident analysis. 2. Effective communication policies (DORA Art. 14) for incidents rely on comprehensive logging to understand events before communicating them, preventing miscommunication. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0196 compute · voice-rubric self-validated