DORAArt. 28voice-validated
DORA Art28: Art. 28
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Financial entities must manage ICT third-party risk as an integral component of ICT risk within their ICT risk-management framework. They must adopt and regularly review a strategy on ICT third-party risk, including a policy on ICT services supporting critical or important functions. They must maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1195 | 1. DORA Art. 28 mandates managing ICT third-party risk. Supply Chain Compromise directly exploits vulnerabilities in third-party services, aligning with the regulation's focus on external dependencies. 2. Financial entities must identify and mitigate risks from compromised software or hardware components provided by third parties. | 90% |
| T1133 | 1. DORA Art. 28 requires managing ICT third-party risk. External Remote Services, often provided by third parties, represent a significant attack surface. 2. Financial entities must secure and monitor these services to prevent unauthorized access and maintain the integrity of their ICT risk-management framework. | 80% |
| T1078 | 1. DORA Art. 28 mandates managing third-party risk. Valid Accounts, especially those managed by or for third-party service providers, can be compromised and used for unauthorized access. 2. Robust account management is essential for mitigating this risk. | 70% |
| T1098 | 1. DORA Art. 28 requires a strategy for ICT third-party risk. Account Manipulation by a compromised third-party account can lead to persistence or privilege escalation. 2. Monitoring and controlling third-party account permissions are critical. | 70% |
| T1068 | 1. DORA Art. 28 requires managing ICT third-party risk. Exploitation for Privilege Escalation can occur through vulnerabilities in third-party software or services. 2. Financial entities must ensure third-party solutions are secure and regularly patched to prevent such exploits. | 80% |
| T1036.005 | 1. DORA Art. 28 mandates managing third-party risk. Masquerading by a malicious actor, potentially through a compromised third-party service, can evade detection. 2. Strict identity and access management for third-party interactions are necessary to counter this technique. | 60% |
| T1003 | 1. DORA Art. 28 requires managing ICT third-party risk. OS Credential Dumping can result from a compromise originating from a third-party service. 2. Protecting credentials, including those used by or shared with third parties, is a core risk management activity. | 70% |
| T1087 | 1. DORA Art. 28 mandates managing third-party risk. Account Discovery by an attacker, potentially gaining initial access via a third party, helps map the environment. 2. Limiting third-party visibility into internal account structures reduces this risk. | 70% |
| T1046 | 1. DORA Art. 28 requires managing ICT third-party risk. Network Service Discovery, if performed by a compromised third party, can reveal critical infrastructure. 2. Network segmentation and strict access controls for third parties limit discovery capabilities. | 70% |
| T1021 | 1. DORA Art. 28 mandates managing third-party risk. Remote Services can be exploited by an attacker who gains access through a third-party connection to move laterally within the network. 2. Secure configuration and monitoring of remote access are vital. | 70% |
| T1005 | 1. DORA Art. 28 requires managing ICT third-party risk. Data from Local System can be collected by a malicious actor or a compromised third party. 2. Data loss prevention and strict access controls for third parties mitigate this collection technique. | 80% |
| T1039 | 1. DORA Art. 28 mandates managing third-party risk. Data from Network Shared Drive can be accessed and collected if a third-party connection is compromised. 2. Proper access permissions and monitoring of shared resources are essential. | 70% |
| T1071 | 1. DORA Art. 28 requires managing ICT third-party risk. Command and Control (C2) using Application Layer Protocol can be established by an attacker leveraging a compromised third-party service. 2. Network monitoring and egress filtering help detect such communications. | 60% |
| T1041 | 1. DORA Art. 28 mandates managing third-party risk. Exfiltration Over C2 Channel can occur if a third-party system is compromised and used to steal data. 2. Data exfiltration prevention is a key component of ICT risk management for third-party services. | 80% |
| T1486 | 1. DORA Art. 28 requires managing ICT third-party risk. Data Encrypted for Impact (ransomware) can originate from a compromised third-party service, causing significant disruption. 2. Robust incident response and recovery plans, including for third-party incidents, are critical. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. DORA Art. 28 explicitly requires financial entities to manage ICT third-party risk. Supply Chain Risk Management directly addresses this by assessing and mitigating risks associated with external providers. 2. This mitigation aligns with the regulation's core objective. | 95% |
| M1030 | 1. DORA Art. 28 mandates managing ICT third-party risk. Network Segmentation limits the blast radius of a compromise originating from a third-party service. 2. Isolating critical systems from third-party access points reduces potential impact. | 85% |
| M1035 | 1. DORA Art. 28 requires a strategy on ICT third-party risk. Limiting Access to Resources ensures third parties only have necessary permissions, adhering to the principle of least privilege. 2. This directly reduces the attack surface presented by external providers. | 90% |
| M1017 | 1. DORA Art. 28 mandates managing ICT third-party risk. User Account Management, particularly for accounts associated with third-party access, is crucial for preventing unauthorized use. 2. Proper provisioning, de-provisioning, and monitoring are essential. | 80% |
| M1026 | 1. DORA Art. 28 requires a strategy on ICT third-party risk. Privileged Account Management for third parties is critical due to the high impact of their compromise. 2. Strict controls over these accounts are necessary to protect critical functions. | 85% |
| M1047 | 1. DORA Art. 28 mandates maintaining a register of contractual arrangements. Audit logging and monitoring of third-party activities are essential for detecting anomalous behavior. 2. This supports the overall ICT risk-management framework. | 80% |
| M1031 | 1. DORA Art. 28 requires managing ICT third-party risk. Network Intrusion Prevention systems can detect and block malicious activity originating from or targeting third-party connections. 2. This provides a layer of defense against external threats. | 75% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-1104 | 1. DORA Art. 28 requires managing ICT third-party risk. The Use of Unmaintained Third Party Components directly contributes to vulnerabilities and increased risk. 2. The regulation implies due diligence in selecting and monitoring third-party services. | 90% |
| CWE-284 | 1. DORA Art. 28 mandates managing ICT third-party risk. Improper Access Control for third-party services can lead to unauthorized access or data breaches. 2. Establishing and enforcing robust access controls is a fundamental requirement. | 85% |
| CWE-285 | 1. DORA Art. 28 requires a strategy on ICT third-party risk. Improper Authorization, granting excessive permissions to third-party services or personnel, increases the risk of compromise. 2. Adhering to the principle of least privilege is essential. | 85% |
| CWE-200 | 1. DORA Art. 28 mandates managing ICT third-party risk. Exposure of Sensitive Information to an Unauthorized Actor can occur through compromised third-party services. 2. Protecting data handled by third parties is a critical aspect of risk management. | 80% |
| CWE-749 | 1. DORA Art. 28 requires managing ICT third-party risk. Exposed Dangerous Method or Function in third-party APIs or services creates attack vectors. 2. Thorough security assessments of third-party integrations are necessary. | 70% |
| CWE-668 | 1. DORA Art. 28 mandates managing ICT third-party risk. Exposure of Resource to Wrong Sphere, such as allowing third parties access to internal networks, increases risk. 2. Proper network segmentation and access zoning are required. | 75% |
| CWE-918 | 1. DORA Art. 28 requires managing ICT third-party risk. Server-Side Request Forgery (SSRF) vulnerabilities in third-party web services can be exploited to access internal resources. 2. Secure coding practices and input validation for third-party integrations are important. | 65% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0215 compute · voice-rubric self-validated