DORAArt. 9voice-validated
DORA Art9: Art. 9
Digital Operational Resilience Act (EU 2022/2554)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
DORA Article 9 — Protection and prevention: Financial entities must continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures. They must design, procure and implement ICT security policies, procedures, protocols, and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1003.001 | 1. DORA Art. 9 mandates continuous monitoring and control of ICT systems. This directly counters OS credential dumping by enabling detection of memory access or file system manipulation associated with credential theft. | 90% |
| 1. Financial entities must minimise ICT risk impact as per DORA Art. 9. Preventing unauthorised data collection from local systems is a direct measure to achieve this objective. | 90% | |
| 1. DORA Art. 9 requires continuous monitoring and control of ICT systems. Detecting and controlling unusual communication channels, such as fallback channels, is essential for maintaining security. | 80% | |
| 1. Financial entities must deploy appropriate ICT security tools and procedures under DORA Art. 9. This includes preventing initial compromise vectors like drive-by downloads to protect ICT systems. | 80% | |
| 1. Continuous monitoring of ICT systems, as per DORA Art. 9, helps detect unauthorised registry queries. These queries are often precursors to further malicious activity. | 80% | |
| 1. DORA Art. 9 mandates continuous control of ICT systems. Identifying and removing unauthorised persistence mechanisms, such as port monitors, is critical for system integrity. | 80% | |
| T1016.001 | 1. Financial entities must monitor ICT systems to detect reconnaissance activities, as required by DORA Art. 9. Discovering internet connectivity is a common reconnaissance step. | 80% |
| 1. DORA Art. 9 mandates continuous monitoring to detect attempts at mapping the internal network. Remote system discovery is a key technique for lateral movement planning. | 80% | |
| T1021.001 | 1. Financial entities must control ICT systems to prevent unauthorised use of remote services for lateral movement. DORA Art. 9 requires continuous control to secure these pathways. | 90% |
| T1027.002 | 1. DORA Art. 9 requires appropriate ICT security tools to detect and prevent the execution of obfuscated or packed malicious software. This directly addresses defense evasion techniques. | 90% |
| 1. Continuous monitoring, as per DORA Art. 9, helps detect attempts to identify system users for targeting. This discovery technique is a precursor to credential access or lateral movement. | 80% | |
| T1036.003 | 1. DORA Art. 9 mandates appropriate ICT security tools and procedures to detect and prevent masquerading techniques. Renaming system utilities is a common method of masquerading. | 80% |
| T1037.001 | 1. Financial entities must continuously control ICT systems to prevent unauthorised modifications to logon scripts for persistence. DORA Art. 9 requires this control for system integrity. | 80% |
| 1. DORA Art. 9 requires continuous monitoring and appropriate security tools to prevent unauthorised data exfiltration. Exfiltration over C2 channels is a primary method to be defended against. | 90% | |
| 1. DORA Art. 9 mandates continuous control of ICT systems to detect and prevent malicious use of administrative tools like WMI. This ensures system resilience and security. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. DORA Art. 9 requires deployment of appropriate ICT security tools to minimise impact. Application isolation and sandboxing directly contribute to this by containing potential threats. | 90% |
| M1016 | 1. Financial entities must continuously monitor ICT systems as per DORA Art. 9. Robust auditing capabilities are fundamental to fulfilling this continuous monitoring requirement. | 100% |
| M1017 | 1. DORA Art. 9 mandates control over ICT systems. Effective user account management prevents unauthorised access and privilege abuse, directly supporting system security. | 90% |
| M1021 | 1. Financial entities must deploy appropriate ICT security tools to control network communications. DORA Art. 9 requires this to prevent command and control activities and data exfiltration. | 90% |
| M1025 | 1. DORA Art. 9 requires robust control over ICT systems, especially for critical functions. Strict management of privileged accounts is essential to protect these functions. | 90% |
| M1035 | 1. Financial entities must control ICT systems and minimise risk impact. DORA Art. 9 requires restricting network access to sensitive resources to enhance security posture. | 90% |
| M1040 | 1. DORA Art. 9 requires ICT security policies and tools to ensure resilience and continuity. Network segmentation is a key control that limits the blast radius of security incidents. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-20 | 1. DORA Art. 9 requires appropriate ICT security tools and procedures. Improper input validation undermines system resilience and security, leading to various vulnerabilities. | 80% |
| CWE-200 | 1. Financial entities must minimise ICT risk impact, as per DORA Art. 9. Preventing the exposure of sensitive information to unauthorised actors is a direct objective. | 90% |
| CWE-269 | 1. DORA Art. 9 mandates continuous control of ICT systems. Improper privilege management directly compromises this control and overall system security, leading to privilege escalation. | 90% |
| CWE-306 | 1. Financial entities must ensure the resilience and continuity of critical functions. DORA Art. 9 requires robust authentication mechanisms to protect these functions from unauthorised access. | 90% |
| CWE-311 | 1. DORA Art. 9 requires appropriate ICT security tools and policies to protect data. Missing encryption of sensitive data directly violates this requirement, increasing data exposure risk. | 90% |
| CWE-693 | 1. Financial entities must deploy appropriate ICT security tools and policies. DORA Art. 9 is violated when protection mechanisms fail, compromising system resilience and security. | 80% |
| CWE-732 | 1. DORA Art. 9 mandates control over ICT systems, especially for critical functions. Incorrect permission assignment for critical resources directly undermines this control and security. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0132 compute · voice-rubric self-validated