DORAArt. 25voice-validated
DORA Art25: Art. 25
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities, other than microenterprises, that are identified as significant must carry out at least every three years advanced testing by means of TLPT (Threat-Led Penetration Testing). The test must cover all critical or important functions, with all live production systems supporting such functions in scope. Testers must be reputable third parties; in-house testing is only allowed under specific safeguards. The test scope, including specific functions, attack scenarios, and threat-intelligence requirements, is agreed with the relevant competent authority. Tests must use realistic, threat-led attack scenarios sourced from authoritative threat intelligence.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. TLPT simulates attacks on public-facing applications, directly testing the resilience of critical functions against external threats as required by DORA Art. 25. | 90% |
| T1078 | 1. Compromised valid accounts are a primary vector for attackers to gain initial access and move laterally within systems, a key focus for advanced testing under DORA Art. 25. | 85% |
| T1059 | 1. Attackers frequently use command and scripting interpreters to execute malicious code post-compromise, a scenario TLPT must uncover to protect critical functions per DORA Art. 25. | 80% |
| T1547.001 | 1. Establishing persistence via autostart mechanisms is a common adversary goal. TLPT identifies such vulnerabilities to ensure the integrity of live production systems, as mandated by DORA Art. 25. | 80% |
| T1068 | 1. Exploiting vulnerabilities for privilege escalation is a core component of advanced threat-led scenarios, directly addressed by the testing requirements of DORA Art. 25. | 90% |
| T1055 | 1. Process injection allows adversaries to evade defenses and escalate privileges, a critical technique for TLPT to detect within live production systems under DORA Art. 25. | 75% |
| T1027 | 1. Obfuscation techniques are used by adversaries to hide their presence and activities. TLPT must identify the effectiveness of detection mechanisms against such evasion, per DORA Art. 25. | 70% |
| T1003 | 1. OS credential dumping is a high-impact technique for lateral movement. TLPT assesses an entity's ability to prevent and detect this activity within critical systems, as required by DORA Art. 25. | 85% |
| T1087 | 1. Adversaries perform account discovery to map the environment. TLPT evaluates the entity's ability to restrict and detect such reconnaissance within critical functions, per DORA Art. 25. | 75% |
| T1046 | 1. Network service discovery helps attackers identify targets for lateral movement. TLPT assesses the visibility and security of network services supporting critical functions, as mandated by DORA Art. 25. | 75% |
| T1021.001 | 1. Remote Desktop Protocol is a common method for lateral movement. TLPT simulates its exploitation to test controls protecting critical systems, aligning with DORA Art. 25. | 80% |
| T1005 | 1. Collection of data from local systems is a precursor to exfiltration. TLPT evaluates the security of data storage and access controls on systems supporting critical functions, per DORA Art. 25. | 80% |
| T1071.001 | 1. Web protocols are frequently used for command and control. TLPT assesses the entity's ability to detect and block malicious C2 communications, as required by DORA Art. 25. | 70% |
| T1041 | 1. Exfiltration over C2 channels represents a significant data breach risk. TLPT simulates this to test data loss prevention and detection capabilities for critical data, per DORA Art. 25. | 80% |
| T1486 | 1. Data encryption for impact, such as ransomware, directly threatens critical functions. TLPT assesses the entity's resilience and recovery capabilities against such destructive attacks, as mandated by DORA Art. 25. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Network segmentation limits the blast radius of attacks, protecting critical functions from lateral movement, a key objective of advanced testing under DORA Art. 25. | 90% |
| M1040 | 1. Endpoint behavior prevention detects and blocks malicious activities, directly countering many attack techniques TLPT aims to simulate, as required by DORA Art. 25. | 85% |
| M1047 | 1. Robust auditing and logging are essential for detecting and responding to attacks, enabling the post-test analysis and improvement mandated by DORA Art. 25. | 80% |
| M1026 | 1. Privileged account management reduces the impact of credential compromise, a critical defense against privilege escalation and lateral movement, as tested by DORA Art. 25. | 85% |
| M1035 | 1. Limiting access to resources over the network restricts an attacker's ability to reach critical systems, a control directly evaluated by TLPT scenarios under DORA Art. 25. | 80% |
| M1017 | 1. Effective user account management prevents unauthorized access and reduces the attack surface, a fundamental security measure assessed by advanced testing under DORA Art. 25. | 75% |
| M1050 | 1. Regular vulnerability scanning identifies weaknesses before they can be exploited by threat actors, contributing to the overall resilience tested by DORA Art. 25. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-798 | 1. Hard-coded credentials provide attackers with direct access, a critical vulnerability TLPT aims to discover within systems supporting critical functions, per DORA Art. 25. | 85% |
| CWE-200 | 1. Exposure of sensitive information allows data exfiltration. TLPT identifies such vulnerabilities to protect critical data, aligning with the scope of DORA Art. 25. | 80% |
| CWE-269 | 1. Improper privilege management enables attackers to gain higher access, a common weakness TLPT seeks to exploit and report on for critical systems, as required by DORA Art. 25. | 85% |
| CWE-787 | 1. Out-of-bounds write vulnerabilities are frequently exploited for arbitrary code execution, a high-impact weakness TLPT would target in live production systems under DORA Art. 25. | 75% |
| CWE-502 | 1. Deserialization of untrusted data can lead to remote code execution, a severe vulnerability that TLPT scenarios would aim to uncover in critical applications, per DORA Art. 25. | 70% |
| CWE-287 | 1. Improper authentication allows unauthorized access to systems and data, a fundamental security flaw TLPT is designed to expose within critical functions, as mandated by DORA Art. 25. | 80% |
| CWE-668 | 1. Exposure of resources to the wrong sphere indicates poor network segmentation, a weakness TLPT would exploit to demonstrate lateral movement into critical systems, per DORA Art. 25. | 75% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0195 compute · voice-rubric self-validated