DORAArt. 5voice-validated
DORA Art5: Art. 5
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 5 — Governance and Organisation: Financial entities must have an internal governance and control framework that ensures effective and prudent management of ICT risk. The management body bears the ultimate responsibility for managing ICT risk and must approve, oversee, and periodically review the entity's ICT risk-management framework. Senior officers responsible for ICT risk must report at least annually to the management body on the status of ICT risk and on the ICT business continuity policy.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1003.001 | 1. Ineffective ICT risk management, as mandated by Art. 5, fails to implement robust endpoint security. 2. This allows adversaries to dump credentials from LSASS memory, compromising system access. 3. The absence of proper oversight facilitates this attack. | 90% |
| T1005 | 1. Weak governance and control frameworks, contrary to Art. 5, result in inadequate data access controls. 2. Adversaries can collect sensitive data from local systems without detection. 3. This indicates a failure in prudent ICT risk management. | 80% |
| T1007 | 1. A deficient internal control framework, as per Art. 5, leads to poor asset management and network visibility. 2. Adversaries can easily discover system services, mapping the environment. 3. This undermines effective ICT risk management. | 70% |
| T1011 | 1. Art. 5 requires effective ICT risk management, including data loss prevention. 2. A failure to implement and oversee such policies allows exfiltration over various network mediums. 3. This represents a significant governance oversight. | 80% |
| T1016 | 1. Prudent ICT risk management, as stipulated by Art. 5, necessitates strong network security. 2. Weaknesses permit adversaries to discover system network configurations. 3. This exposes vulnerabilities due to insufficient oversight. | 70% |
| T1021.001 | 1. Art. 5 mandates a control framework for ICT risk. 2. Unmanaged or poorly secured Remote Desktop Protocol access allows lateral movement. 3. This directly reflects a failure in governance and oversight of remote services. | 90% |
| T1027 | 1. Effective ICT risk management, per Art. 5, requires robust detection capabilities. 2. A lack of such controls allows adversaries to use obfuscated files or information to evade defenses. 3. This indicates a gap in the control framework. | 80% |
| T1033 | 1. Art. 5 requires a control framework for ICT risk. 2. Poor user account management and access policies enable adversaries to discover system owners and users. 3. This highlights a deficiency in governance and oversight. | 70% |
| T1036.003 | 1. Art. 5 mandates an effective control framework. 2. Inadequate system integrity monitoring allows adversaries to rename system utilities for masquerading. 3. This demonstrates a failure in proactive ICT risk management. | 80% |
| T1041 | 1. Prudent ICT risk management, as per Art. 5, includes network egress filtering. 2. Insufficient controls allow exfiltration over command and control channels. 3. This signifies a critical failure in the governance framework. | 90% |
| T1046 | 1. Art. 5 requires effective ICT risk management. 2. Lack of network segmentation and monitoring permits adversaries to perform network service scanning. 3. This indicates a weakness in the control framework and oversight. | 70% |
| T1047 | 1. Art. 5 mandates a robust control framework. 2. Unrestricted Windows Management Instrumentation access, due to weak configuration management, enables execution. 3. This reflects a failure in ICT risk governance. | 80% |
| T1048.001 | 1. Effective ICT risk management, as per Art. 5, requires controlled outbound traffic. 2. Uncontrolled FTP usage allows exfiltration over alternative protocols. 3. This represents a significant governance and oversight failure. | 90% |
| T1003.002 | 1. Art. 5 demands a strong control framework for ICT risk. 2. Weak system security allows adversaries to dump credentials from the Security Account Manager. 3. This indicates a failure in managing access controls and system hardening. | 80% |
| T1008 | 1. Prudent ICT risk management, as per Art. 5, includes monitoring C2 channels. 2. A lack of such monitoring allows adversaries to use fallback channels for communication. 3. This highlights a gap in the control framework and oversight. | 70% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. Art. 5 mandates an effective control framework for ICT risk. 2. Application hardening reduces vulnerabilities, directly supporting prudent risk management. 3. This aligns with the management body's oversight responsibilities. | 90% |
| M1015 | 1. Art. 5 requires robust governance for ICT risk. 2. Proper Active Directory configuration is crucial for managing user access and preventing privilege escalation. 3. This is a core component of the internal control framework. | 90% |
| M1016 | 1. Art. 5 explicitly requires periodic review and oversight of the ICT risk-management framework. 2. Comprehensive auditing mechanisms are essential for fulfilling this requirement. 3. This ensures accountability and identifies control weaknesses. | 100% |
| M1025 | 1. Prudent management of ICT risk, as per Art. 5, includes protecting credentials. 2. Implementing credential access protection directly mitigates a primary attack vector. 3. This is a fundamental aspect of the control framework. | 90% |
| M1031 | 1. Art. 5 mandates an effective control framework. 2. Endpoint denylisting prevents the execution of known malicious software. 3. This contributes to the proactive management of ICT risk under governance oversight. | 80% |
| M1035 | 1. Art. 5 requires prudent ICT risk management. 2. Limiting access to resources over the network reduces the attack surface and lateral movement. 3. This is a key control within the governance framework. | 80% |
| M1040 | 1. Art. 5 mandates effective ICT risk management. 2. Network segmentation isolates critical systems, limiting the impact of breaches. 3. This is a crucial control for the management body to approve and oversee. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-264 | 1. Art. 5 requires an effective control framework. 2. Flaws in permissions, privileges, and access controls directly undermine this framework. 3. This indicates a failure in prudent ICT risk management and oversight. | 90% |
| CWE-287 | 1. Art. 5 mandates a robust control framework. 2. Improper authentication allows unauthorized access, bypassing critical security measures. 3. This represents a significant failure in the governance of ICT risk. | 80% |
| CWE-306 | 1. Art. 5 requires an effective control framework. 2. Missing authentication for critical functions exposes systems to unauthorized actions. 3. This highlights a severe gap in the prudent management of ICT risk. | 80% |
| CWE-732 | 1. Art. 5 mandates an effective control framework. 2. Incorrect permission assignments for critical resources directly compromise system integrity. 3. This reflects a failure in the management body's oversight of ICT risk. | 90% |
| CWE-798 | 1. Prudent ICT risk management, as per Art. 5, includes secure development practices. 2. Use of hard-coded credentials bypasses proper authentication mechanisms. 3. This indicates a weakness in the control framework and review processes. | 70% |
| CWE-862 | 1. Art. 5 requires an effective control framework. 2. Missing authorization allows users to perform actions beyond their intended scope. 3. This represents a fundamental failure in the governance and oversight of ICT risk. | 80% |
| CWE-863 | 1. Art. 5 mandates an effective control framework. 2. Incorrect authorization grants excessive or inappropriate access. 3. This directly undermines the prudent management of ICT risk and requires management body review. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0140 compute · voice-rubric self-validated