DORAArt. 8voice-validated
DORA Art8: Art. 8
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 8 — Identification: Financial entities must identify, classify and adequately document all ICT-supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. They shall review the adequacy of this classification and of the relevant documentation as needed but at least yearly.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1046 | 1. Financial entities identify and document network services as per DORA Art. 8. This reduces the attacker's ability to discover services through active scanning. | 90% |
| T1049 | 1. DORA Art. 8 requires documentation of ICT assets and their dependencies. This makes it harder for attackers to map network connections undetected. | 90% |
| T1082 | 1. Identification and documentation of ICT assets under DORA Art. 8 means system information is known. This limits an attacker's need for discovery. | 80% |
| T1083 | 1. DORA Art. 8 mandates classification of information assets. This helps protect critical files and directories, making discovery harder for attackers. | 70% |
| T1018 | 1. DORA Art. 8 requires identification of all ICT assets. This includes remote systems, reducing an attacker's ability to discover them. | 80% |
| T1033 | 1. DORA Art. 8 explicitly requires documentation of roles and responsibilities. This directly counters an attacker's need to discover system owners and users. | 90% |
| T1057 | 1. Documentation of ICT assets and their functions under DORA Art. 8 provides insight into expected processes. This helps identify anomalous process activity. | 70% |
| T1069 | 1. DORA Art. 8 mandates documentation of roles and responsibilities. This provides a baseline for understanding and securing permission groups. | 80% |
| T1087 | 1. DORA Art. 8 requires documentation of roles and responsibilities. This directly supports comprehensive account management, hindering attacker account discovery. | 90% |
| T1012 | 1. DORA Art. 8's requirement to document ICT assets and their configurations means critical registry settings are known. This can help detect unauthorized queries. | 60% |
| T1016 | 1. DORA Art. 8 mandates identification and documentation of ICT assets and their dependencies. This includes network configurations, limiting attacker discovery. | 90% |
| T1036 | 1. Clear documentation of roles and responsibilities, as per DORA Art. 8, makes it harder for attackers to masquerade as legitimate users or processes. | 70% |
| T1053 | 1. DORA Art. 8 requires documentation of ICT-supported business functions. This includes understanding legitimate scheduled tasks, aiding in detection of malicious ones. | 60% |
| T1003 | 1. Identification and classification of critical ICT assets under DORA Art. 8 allows for enhanced protection of systems likely to hold credentials. | 70% |
| T1486 | 1. DORA Art. 8 requires classification of information assets. This enables prioritization of critical data for backup and recovery, mitigating impact. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. DORA Art. 8 mandates identification of ICT assets and their dependencies. This includes third-party services, directly supporting supply chain risk management. | 80% |
| M1047 | 1. DORA Art. 8 requires yearly review of classification and documentation adequacy. This aligns directly with audit processes to ensure compliance and effectiveness. | 90% |
| M1039 | 1. DORA Art. 8 requires classification of information assets. This is foundational for identifying sensitive data and implementing effective data loss prevention measures. | 80% |
| M1031 | 1. DORA Art. 8 mandates identification of ICT assets and their dependencies. This information is critical for designing and implementing effective network segmentation. | 70% |
| M1017 | 1. DORA Art. 8 requires documentation of roles and responsibilities. This provides the essential baseline for robust user account management and access control. | 90% |
| M1016 | 1. DORA Art. 8's requirement to document roles and responsibilities directly informs the creation and enforcement of account use policies. | 80% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Failure to identify and classify information assets, as required by DORA Art. 8, directly increases the risk of sensitive information exposure. | 90% |
| CWE-264 | 1. Undocumented roles and responsibilities, contrary to DORA Art. 8, lead to poorly defined permissions and privileges, increasing security risks. | 90% |
| CWE-306 | 1. If critical ICT-supported business functions are not identified and classified per DORA Art. 8, essential authentication mechanisms may be overlooked. | 80% |
| CWE-732 | 1. Lack of classification for ICT assets and their roles, as mandated by DORA Art. 8, results in insecure permission assignments for critical resources. | 90% |
| CWE-693 | 1. Inadequate identification and documentation of ICT assets and their dependencies, as per DORA Art. 8, can lead to protection mechanisms failing to cover all relevant components. | 80% |
| CWE-1188 | 1. Without proper identification and classification of ICT assets (DORA Art. 8), default insecure configurations may persist, leading to vulnerabilities. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0111 compute · voice-rubric self-validated