DORAArt. 7voice-validated
DORA Art7: Art. 7
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 7 — ICT systems, protocols and tools: Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude of operations supporting their activities, reliable, equipped with sufficient capacity to accurately process the data necessary for the performance of their activities, technologically resilient to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. This technique exploits vulnerabilities in public-facing applications. DORA Article 7 mandates financial entities maintain updated ICT systems, protocols, and tools, directly mitigating this threat by reducing exploitable surface. 2. Such maintenance ensures technological resilience. | 90% |
| T1068 | 1. This technique exploits system vulnerabilities for privilege escalation. DORA Article 7 requires updated and technologically resilient ICT systems, which inherently reduces the attack surface for such exploits. 2. Proper maintenance prevents these vulnerabilities. | 90% |
| T1003.001 | 1. This technique involves dumping credentials from memory. DORA Article 7's requirement for reliable and resilient ICT systems implies robust security configurations and memory protection, hindering credential access. 2. Updated systems are less susceptible. | 80% |
| T1083 | 1. This technique involves discovering files and directories. DORA Article 7's emphasis on reliable systems implies proper access controls and configuration management, limiting unauthorized discovery. 2. Maintaining systems reduces information exposure. | 70% |
| T1021.001 | 1. This technique uses Remote Desktop Protocol for lateral movement. DORA Article 7 requires secure and updated protocols and tools, necessitating proper configuration and monitoring of remote access services. 2. Resilient systems control network access. | 80% |
| T1005 | 1. This technique involves collecting data from local systems. DORA Article 7's mandate for reliable systems that accurately process data requires robust data access controls and integrity measures, hindering unauthorized collection. 2. Data protection is key. | 70% |
| T1041 | 1. This technique exfiltrates data over command and control channels. DORA Article 7's requirement for technologically resilient systems necessitates strong network monitoring and data loss prevention capabilities to detect and prevent exfiltration. 2. Data integrity is paramount. | 80% |
| T1486 | 1. This technique encrypts data for impact, disrupting operations. DORA Article 7 explicitly requires technologically resilient systems capable of dealing with adverse situations, necessitating robust data protection, backup, and recovery mechanisms. 2. Business continuity depends on this. | 90% |
| T1547.001 | 1. This technique establishes persistence via autostart execution. DORA Article 7's requirement for maintaining updated and reliable ICT systems implies continuous monitoring and configuration management to detect and prevent unauthorized persistence. 2. System integrity is crucial. | 70% |
| T1027 | 1. This technique involves obfuscating files or information to evade detection. DORA Article 7's emphasis on technologically resilient systems requires advanced detection capabilities to identify and counter sophisticated evasion tactics. 2. Robust systems detect hidden threats. | 70% |
| T1071.001 | 1. This technique uses web protocols for command and control. DORA Article 7's mandate for secure protocols and tools requires comprehensive network monitoring and traffic analysis to detect malicious C2 communications. 2. Protocol security is essential. | 70% |
| T1046 | 1. This technique performs network service discovery. DORA Article 7's requirement for appropriate and reliable ICT systems implies proper network segmentation and access controls to limit unauthorized discovery of services. 2. Network hygiene is critical. | 70% |
| T1070.004 | 1. This technique involves deleting files to remove indicators. DORA Article 7's emphasis on reliable and resilient systems necessitates robust logging, auditing, and immutable storage solutions to preserve forensic evidence. 2. Comprehensive logging supports resilience. | 70% |
| T1490 | 1. This technique inhibits system recovery. DORA Article 7 explicitly requires technologically resilient systems capable of dealing with adverse situations, mandating robust backup, recovery, and business continuity plans to ensure operational integrity. 2. Recovery capabilities are fundamental. | 90% |
| T1566.001 | 1. This technique uses spearphishing attachments for initial access. DORA Article 7's requirement for updated ICT systems and tools implies robust email security, endpoint protection, and user awareness programs to mitigate this threat. 2. Comprehensive defenses are needed. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. DORA Article 7 requires financial entities to use and maintain updated ICT systems, protocols, and tools. Supply chain risk management ensures the reliability and security of these components from their origin, contributing to overall resilience. | 80% |
| M1050 | 1. DORA Article 7 mandates maintaining updated ICT systems and ensuring technological resilience. Vulnerability scanning directly supports this by identifying weaknesses that could compromise reliability and capacity, allowing for timely remediation. | 90% |
| M1048 | 1. DORA Article 7 explicitly requires financial entities to maintain updated ICT systems, protocols, and tools. Patching applications directly fulfills this requirement, enhancing system reliability and resilience against known vulnerabilities. | 90% |
| M1047 | 1. DORA Article 7 explicitly requires financial entities to maintain updated ICT systems. Patching operating systems is fundamental to ensuring the reliability, security, and technological resilience of the underlying infrastructure as mandated. | 90% |
| M1035 | 1. DORA Article 7 emphasizes reliable ICT systems that accurately process data. Limiting access to resources ensures data integrity and system reliability by preventing unauthorized modifications or disruptions, contributing to overall resilience. | 80% |
| M1019 | 1. DORA Article 7 requires reliable ICT systems. Effective user account management ensures that only authorized personnel can access and operate systems, preventing misuse that could compromise reliability or data accuracy. 2. This supports system integrity. | 80% |
| M1031 | 1. DORA Article 7 mandates technologically resilient systems capable of dealing with adverse situations. Network segmentation enhances resilience by limiting lateral movement and containing breaches, ensuring operations continue under stress. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-119 | 1. This weakness leads to buffer overflows, causing system unreliability or crashes. DORA Article 7 requires reliable and technologically resilient ICT systems, directly addressing the need to prevent such fundamental flaws. 2. It impacts data processing accuracy. | 90% |
| CWE-20 | 1. Improper input validation can lead to inaccurate data processing and system instability. DORA Article 7 mandates systems that accurately process data and are reliable, making robust input validation a critical control. 2. It ensures data integrity. | 90% |
| CWE-79 | 1. Cross-site scripting vulnerabilities compromise the reliability and security of web-based tools and protocols. DORA Article 7 requires updated and reliable ICT systems, protocols, and tools, necessitating protection against such attacks. 2. It impacts user trust. | 70% |
| CWE-200 | 1. Exposure of sensitive information undermines the reliability and integrity of ICT systems. DORA Article 7's requirement for reliable systems that accurately process data implies robust controls to prevent unauthorized information disclosure. 2. Data protection is key. | 80% |
| CWE-732 | 1. Incorrect permission assignments compromise system reliability and security. DORA Article 7 mandates reliable ICT systems, which requires proper access controls to ensure only authorized entities can interact with critical resources. 2. It prevents unauthorized access. | 80% |
| CWE-400 | 1. Uncontrolled resource consumption directly contradicts DORA Article 7's requirement for ICT systems with sufficient capacity and technological resilience to handle additional processing needs, especially under stressed conditions. 2. It impacts system availability. | 90% |
| CWE-306 | 1. Missing authentication for critical functions undermines the reliability and security of systems and protocols. DORA Article 7 requires reliable ICT systems, necessitating strong authentication mechanisms to protect critical operations. 2. It ensures controlled access. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0139 compute · voice-rubric self-validated