DORAArt. 17voice-validated
DORA Art17: Art. 17
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities must establish, document, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents. They must record all ICT-related incidents and significant cyber threats. They must establish appropriate procedures and processes to ensure consistent and integrated monitoring, handling, and follow-up of ICT-related incidents, including identification of root causes for documentation and remediation. They must establish early warning indicators as alerts.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1.0 confidence. Incident management processes detect unauthorized use of valid accounts, a common initial access vector. Art. 17 mandates detection of ICT-related incidents. | 100% |
| T1133 | 0.9 confidence. Monitoring external remote services for anomalous activity is crucial for detecting initial access attempts. Art. 17 requires incident detection. | 90% |
| T1059 | 0.9 confidence. Detection of command and scripting interpreter misuse is vital for identifying malicious execution during an incident. Art. 17 mandates incident detection. | 90% |
| T1053 | 0.9 confidence. Incident management must identify and remediate scheduled tasks used for persistence. Art. 17 requires incident handling and follow-up. | 90% |
| T1068 | 1.0 confidence. Exploitation for privilege escalation represents a critical ICT-related incident requiring immediate detection and management. Art. 17 mandates incident detection and management. | 100% |
| T1027 | 0.8 confidence. Incident response teams analyze obfuscated files to understand defense evasion techniques and improve detection capabilities. Art. 17 requires root cause identification. | 80% |
| T1070 | 0.9 confidence. Robust logging and forensic capabilities are necessary to detect and recover indicators removed by attackers. Art. 17 mandates recording and follow-up. | 90% |
| T1003 | 1.0 confidence. Detection of OS credential dumping is a high-priority incident, requiring rapid response to prevent further compromise. Art. 17 mandates incident detection and management. | 100% |
| T1087 | 0.9 confidence. Monitoring for unusual account discovery activities helps identify reconnaissance phases of an attack. Art. 17 requires early warning indicators. | 90% |
| T1046 | 0.8 confidence. Detection of network service discovery activities indicates potential reconnaissance or lateral movement. Art. 17 requires early warning indicators. | 80% |
| T1021 | 0.9 confidence. Unauthorized use of remote services for lateral movement must be detected and contained as part of incident management. Art. 17 mandates incident handling. | 90% |
| T1005 | 1.0 confidence. Detection of unauthorized data collection from local systems is a key indicator of an ongoing incident. Art. 17 mandates incident detection. | 100% |
| T1071 | 0.8 confidence. Monitoring application layer protocol traffic for anomalies helps detect command and control communications. Art. 17 requires consistent monitoring. | 80% |
| T1041 | 1.0 confidence. Exfiltration over C2 channels is a critical incident requiring immediate detection and response to prevent data loss. Art. 17 mandates incident detection and management. | 100% |
| T1486 | 1.0 confidence. Rapid detection and management of data encryption for impact (e.g., ransomware) is crucial for business continuity. Art. 17 mandates incident management. | 100% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1.0 confidence. Incident response processes are the direct implementation of DORA Art. 17's requirements for detecting, managing, and notifying ICT-related incidents. | 100% |
| M1015 | 0.9 confidence. Secure software configurations reduce vulnerabilities that attackers exploit, thereby preventing incidents and aiding detection. Art. 17 requires incident prevention implicitly. | 90% |
| M1017 | 0.9 confidence. Effective user account management prevents unauthorized access and misuse, reducing the attack surface for many techniques. Art. 17 mandates incident management. | 90% |
| M1025 | 0.8 confidence. Restricting software execution limits the ability of attackers to run malicious code, reducing the impact and scope of incidents. Art. 17 requires incident management. | 80% |
| M1031 | 0.9 confidence. Network segmentation limits lateral movement and contains incidents, reducing their overall impact and facilitating management. Art. 17 mandates incident management. | 90% |
| M1047 | 1.0 confidence. Comprehensive auditing and logging are fundamental for detecting, recording, analyzing, and identifying root causes of ICT-related incidents. Art. 17 explicitly requires recording and root cause analysis. | 100% |
| M1051 | 1.0 confidence. Data backups are essential for recovery and remediation following incidents that cause data loss or corruption, as required by Art. 17's follow-up. | 100% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1.0 confidence. Exposure of sensitive information is a direct outcome of many ICT-related incidents, requiring robust detection and management processes. Art. 17 mandates incident detection. | 100% |
| CWE-287 | 0.9 confidence. Improper authentication allows unauthorized access, leading to incidents that must be detected and managed according to Art. 17. | 90% |
| CWE-269 | 0.9 confidence. Improper privilege management enables attackers to escalate privileges, creating critical incidents that require detection and remediation. Art. 17 mandates incident management. | 90% |
| CWE-787 | 0.8 confidence. Out-of-bounds write vulnerabilities are frequently exploited for code execution, leading to incidents that must be detected and analyzed. Art. 17 requires root cause identification. | 80% |
| CWE-668 | 0.8 confidence. Exposure of resources to the wrong sphere can facilitate unauthorized access and lateral movement, necessitating early warning and detection. Art. 17 requires early warning indicators. | 80% |
| CWE-798 | 0.9 confidence. Hard-coded credentials provide easy access for attackers, leading to incidents that incident management processes must detect. Art. 17 mandates incident detection. | 90% |
| CWE-117 | 0.7 confidence. Improper output neutralization for logs can obscure incident details, hindering effective recording, monitoring, and root cause analysis. Art. 17 requires recording and root cause identification. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0188 compute · voice-rubric self-validated