DORAArt. 24voice-validated
DORA Art24: Art. 24
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 24 — Annual Penetration Testing: Financial entities must conduct, at least annually, comprehensive, independent penetration testing of ICT systems. Testing must cover all critical ICT systems and supporting infrastructure; be conducted by qualified, independent testers; include realistic attack scenarios targeting authentication, authorisation, and data-flow paths; produce documented findings with proof-of-concept exploits where applicable; and drive remediation tracked with timelines proportionate to severity.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1133 | 1. Penetration testing often begins with external remote services. Art. 24 mandates comprehensive testing of ICT systems, including external interfaces, to identify initial access vectors. | 90% |
| T1190 | 1. Exploiting public-facing applications is a primary initial access technique simulated in penetration tests. Art. 24 requires realistic attack scenarios to uncover such vulnerabilities. | 90% |
| T1078 | 1. Pen testers frequently attempt to use valid accounts, including default or compromised credentials, to gain initial access or escalate privileges. Art. 24's focus on authentication paths directly addresses this. | 80% |
| T1059 | 1. Command and scripting interpreters are used by attackers post-compromise for execution. Art. 24's realistic attack scenarios include simulating such post-exploitation activities within critical ICT systems. | 85% |
| T1053 | 1. Establishing persistence via scheduled tasks is a common objective for attackers. Art. 24 requires testing to identify how an attacker might maintain access to critical systems. | 75% |
| T1068 | 1. Exploitation for privilege escalation is a core component of realistic attack scenarios. Art. 24 explicitly targets authorisation paths, making this technique central to testing. | 90% |
| T1003 | 1. OS credential dumping is a critical step for attackers to gain further access. Art. 24's testing of authentication and authorisation paths includes identifying such vulnerabilities. | 85% |
| T1027 | 1. Obfuscation techniques are used by attackers to evade detection. Art. 24's comprehensive testing aims to identify if security controls can detect such evasive actions within ICT systems. | 70% |
| T1056 | 1. Input capture, such as keylogging, is a method for credential access. Art. 24's focus on authentication paths requires testing for vulnerabilities that could allow such techniques. | 70% |
| T1046 | 1. Network service discovery is essential for attackers to map the environment and plan lateral movement. Art. 24's comprehensive testing includes discovery of critical ICT systems and infrastructure. | 80% |
| T1087 | 1. Account discovery helps attackers identify targets for privilege escalation or lateral movement. Art. 24's testing of authorisation paths includes assessing the exposure of account information. | 80% |
| T1021 | 1. Remote services are frequently used for lateral movement within a network. Art. 24's realistic attack scenarios include simulating movement across critical ICT systems and supporting infrastructure. | 85% |
| T1005 | 1. Collection of data from local systems is a common attacker objective. Art. 24's testing of data-flow paths includes assessing the ability to exfiltrate sensitive information. | 80% |
| T1041 | 1. Exfiltration over C2 channels is a primary method for data theft. Art. 24's testing of data-flow paths aims to identify vulnerabilities that could lead to unauthorised data egress. | 85% |
| T1486 | 1. Data encryption for impact, such as ransomware, represents a significant threat. Art. 24's comprehensive testing includes scenarios that assess the impact of successful attacks on critical ICT systems. | 70% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1032 | 1. Multi-factor authentication directly strengthens authentication mechanisms. Art. 24 mandates testing of authentication paths, making MFA a key defensive control to evaluate. | 95% |
| M1030 | 1. Network segmentation limits lateral movement and protects critical systems. Art. 24 requires testing of all critical ICT systems and data-flow paths, validating segmentation effectiveness. | 90% |
| M1040 | 1. Privilege account management controls access to sensitive functions. Art. 24's focus on authorisation paths necessitates testing the robustness of privilege management. | 90% |
| M1035 | 1. Limiting access to resources over the network restricts an attacker's reach. Art. 24's comprehensive testing evaluates how well network access controls protect critical infrastructure. | 85% |
| M1047 | 1. Audit logging and analysis are crucial for detecting and responding to attacks. Art. 24's requirement for documented findings includes assessing the visibility of attack activities. | 80% |
| M1013 | 1. Application developer guidance promotes secure coding practices, reducing vulnerabilities. Art. 24's testing identifies weaknesses that secure development practices aim to prevent. | 75% |
| M1051 | 1. Secure software configuration reduces the attack surface. Art. 24's comprehensive testing includes evaluating the security posture of ICT system configurations. | 85% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 1. Improper authentication is a direct target of penetration testing. Art. 24 explicitly requires testing of authentication paths to uncover such weaknesses. | 95% |
| CWE-285 | 1. Improper authorization is a critical vulnerability. Art. 24 mandates testing of authorisation paths to ensure access controls function correctly. | 95% |
| CWE-200 | 1. Exposure of sensitive information is a key risk. Art. 24's testing of data-flow paths aims to identify instances where sensitive data could be compromised or exfiltrated. | 90% |
| CWE-798 | 1. Use of hard-coded credentials is a common finding in penetration tests. Art. 24's realistic attack scenarios often exploit such weaknesses in authentication. | 85% |
| CWE-732 | 1. Incorrect permission assignment can lead to privilege escalation. Art. 24's testing of authorisation paths directly assesses the correctness of resource permissions. | 85% |
| CWE-77 | 1. Command injection vulnerabilities are frequently exploited by attackers. Art. 24's comprehensive testing includes identifying and exploiting such weaknesses in ICT systems. | 80% |
| CWE-693 | 1. Protection mechanism failures represent a broad category of weaknesses. Art. 24's penetration testing aims to uncover instances where security controls are ineffective or bypassed. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0124 compute · voice-rubric self-validated