DORAArt. 6voice-validated
DORA Art6: Art. 6
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 6 — ICT risk management framework: Financial entities must have a sound, comprehensive and well-documented ICT risk-management framework. The framework must enable them to address ICT risks quickly, efficiently and comprehensively, ensuring a high level of digital operational resilience. It includes strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect all information assets and ICT assets including computer software, hardware, servers, as well as relevant physical components and infrastructures.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 0.9: A robust ICT risk management framework, as required by DORA Art. 6, must include policies for managing valid accounts, including strong authentication and access control. Failure to implement these controls allows attackers to use legitimate credentials for unauthorized access, undermining asset protection. | 90% |
| T1133 | 0.9: DORA Art. 6 mandates protection of ICT assets. Inadequate management of external remote services, such as VPNs or RDP, represents a critical vulnerability that a sound framework must address to prevent initial access and ensure digital operational resilience. | 90% |
| T1059 | 0.8: A comprehensive ICT risk management framework requires procedures to restrict or monitor the execution of command and scripting interpreters. Lack of such controls, as per DORA Art. 6, allows attackers to execute arbitrary commands on compromised systems, impacting asset integrity. | 80% |
| T1053 | 0.8: DORA Art. 6 requires a framework that protects ICT assets. Attackers can establish persistence by creating or modifying scheduled tasks. A sound framework includes policies for monitoring and controlling scheduled tasks to prevent unauthorized modifications, ensuring asset protection. | 80% |
| T1098 | 0.9: DORA Art. 6 emphasizes protecting information assets. An ICT risk management framework must include robust identity and access management policies. Failure to prevent account manipulation directly undermines the protection of user accounts and system access. | 90% |
| T1068 | 0.9: A sound ICT risk management framework, as per DORA Art. 6, must include vulnerability management and patching policies. Failure to address known vulnerabilities allows attackers to exploit them for privilege escalation, compromising system integrity and asset protection. | 90% |
| T1055 | 0.8: DORA Art. 6 requires protection of ICT assets. An effective framework includes controls to prevent unauthorized code injection into processes, which attackers use for defense evasion and privilege escalation. Lack of such controls indicates a gap in asset protection. | 80% |
| T1027 | 0.8: DORA Art. 6 mandates a framework that addresses ICT risks efficiently. Attackers use obfuscation to evade detection. A comprehensive framework includes strategies and tools for detecting and analyzing obfuscated malicious code, ensuring effective risk response. | 80% |
| T1070 | 0.8: DORA Art. 6 requires a framework that ensures digital operational resilience. Attackers remove indicators to hide their activities. A sound framework includes policies for log management, integrity, and retention to prevent the removal of critical forensic evidence. | 80% |
| T1003 | 0.9: DORA Art. 6 requires protection of information assets. A comprehensive framework must include policies and tools to prevent credential dumping, such as memory protection and secure configuration, to safeguard sensitive authentication material. | 90% |
| T1087 | 0.7: DORA Art. 6 requires a framework to protect ICT assets. Attackers perform account discovery to map the environment. A sound framework limits information exposure and implements least privilege principles to restrict what accounts can be discovered. | 70% |
| T1046 | 0.7: DORA Art. 6 mandates a framework that protects ICT assets. Attackers use network service discovery to identify potential targets. A comprehensive framework includes network segmentation and strict firewall rules to limit discovery capabilities. | 70% |
| T1021 | 0.9: DORA Art. 6 requires protection of ICT assets. Attackers use remote services for lateral movement. A sound framework includes policies for securing, monitoring, and restricting remote access protocols to prevent unauthorized use and ensure asset protection. | 90% |
| T1005 | 0.9: DORA Art. 6 requires protection of information assets. Attackers collect data from local systems. A comprehensive framework includes data loss prevention, access controls, and monitoring to prevent unauthorized data collection, safeguarding sensitive information. | 90% |
| T1048 | 0.9: DORA Art. 6 requires protection of information assets. Attackers exfiltrate data using various protocols. A sound framework includes data egress filtering, monitoring, and anomaly detection to prevent unauthorized data transfer, ensuring data confidentiality. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 0.9: DORA Art. 6 requires protection of ICT assets. Network segmentation limits lateral movement and reduces the impact of breaches, directly contributing to a sound and comprehensive ICT risk management framework by isolating critical systems. | 90% |
| M1030 | 0.9: DORA Art. 6 mandates protection of information assets. Implementing privileged account management policies and tools is crucial for a sound framework to prevent privilege escalation and unauthorized access to critical resources. | 90% |
| M1035 | 0.9: DORA Art. 6 requires a framework that protects information assets. Multi-factor authentication significantly reduces the risk of unauthorized access via compromised credentials, enhancing the security of valid accounts as part of a comprehensive framework. | 90% |
| M1040 | 0.8: DORA Art. 6 requires a comprehensive framework to address ICT risks. Regular vulnerability scanning identifies weaknesses in software and hardware, allowing for proactive remediation and contributing to a sound risk management strategy. | 80% |
| M1047 | 0.8: DORA Art. 6 mandates a well-documented framework. Regular audits of security configurations, logs, and procedures ensure compliance with policies and identify deviations, contributing to the framework's soundness and effectiveness in protecting assets. | 80% |
| M1019 | 0.9: DORA Art. 6 requires protection of information assets. Robust user account management, including lifecycle management and least privilege, is fundamental to a sound ICT risk management framework, preventing unauthorized access and misuse. | 90% |
| M1028 | 0.8: DORA Art. 6 requires protection of ICT assets. Secure operating system configurations, including hardening and disabling unnecessary services, are essential components of a comprehensive risk management framework to reduce attack surfaces. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 0.9: DORA Art. 6 requires a sound framework. Improper authentication directly undermines the protection of information assets by allowing unauthorized access, indicating a failure in the framework's design or implementation of security protocols. | 90% |
| CWE-732 | 0.9: DORA Art. 6 mandates protection of ICT assets. Incorrect permissions allow unauthorized access or modification, representing a critical flaw in the framework's ability to secure assets and maintain their integrity and confidentiality. | 90% |
| CWE-200 | 0.9: DORA Art. 6 requires protection of information assets. This weakness directly contradicts the requirement to protect assets, indicating a failure in the framework's policies or controls to prevent sensitive data exposure. | 90% |
| CWE-306 | 0.9: DORA Art. 6 requires a sound framework. The absence of authentication for critical functions exposes ICT assets to severe risk, demonstrating a fundamental flaw in the framework's security protocols and asset protection. | 90% |
| CWE-798 | 0.8: DORA Art. 6 requires a comprehensive framework. Hard-coded credentials bypass proper authentication mechanisms, making systems vulnerable and undermining the framework's ability to protect information assets and ensure secure access. | 80% |
| CWE-20 | 0.7: DORA Art. 6 requires a framework to address ICT risks. Improper input validation can lead to various vulnerabilities, including code injection, which a sound framework must mitigate to protect software assets and ensure operational resilience. | 70% |
| CWE-434 | 0.7: DORA Art. 6 mandates protection of ICT assets, including software. Allowing unrestricted dangerous file uploads can lead to system compromise, indicating a gap in the framework's security procedures and asset protection mechanisms. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0140 compute · voice-rubric self-validated