GDPRArt. 32voice-validated
GDPR Art32: Art. 32
General Data Protection Regulation (EU 2016/679)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
GDPR Article 32 — Security of processing: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1.0. This technique involves unauthorized access via valid accounts. Art. 32 mandates appropriate technical and organisational measures to prevent such access, ensuring confidentiality and integrity of personal data. | 100% |
| T1133 | 1.0. External remote services are a common initial access vector. Art. 32 requires secure processing systems and services, necessitating robust protection for all external interfaces. | 100% |
| T1059 | 0.9. Command execution directly impacts system integrity and confidentiality. Art. 32 requires measures to ensure ongoing integrity and resilience of processing systems. | 90% |
| T1547 | 0.9. Persistence mechanisms undermine the ongoing confidentiality and integrity of processing systems. Art. 32 mandates measures to ensure these attributes are maintained. | 90% |
| T1068 | 1.0. Exploitation for privilege escalation directly compromises system security. Art. 32 requires appropriate technical measures to prevent unauthorized access and control over personal data. | 100% |
| T1027 | 0.8. Obfuscation hinders detection of malicious activity. Art. 32(d) requires regular testing and evaluation of security measures, which includes detecting such evasion. | 80% |
| T1036 | 0.8. Masquerading allows attackers to bypass security controls. Art. 32 requires effective technical and organisational measures to ensure a level of security appropriate to the risk. | 80% |
| T1003 | 1.0. Credential dumping directly threatens the confidentiality of personal data. Art. 32 mandates pseudonymisation and encryption, and measures to ensure confidentiality. | 100% |
| T1083 | 0.9. Discovery of sensitive files directly precedes data exfiltration or impact. Art. 32 requires measures to ensure the confidentiality of personal data. | 90% |
| T1046 | 0.8. Network service discovery aids attackers in mapping the environment. Art. 32 requires secure and resilient processing systems, implying knowledge of the network architecture. | 80% |
| T1021 | 0.9. Remote services facilitate lateral movement. Art. 32 requires secure processing systems and services, necessitating controls over internal network access. | 90% |
| T1005 | 1.0. Collection of data from local systems directly impacts data confidentiality. Art. 32 requires measures to ensure the ongoing confidentiality of personal data. | 100% |
| T1071 | 0.8. Command and control communication channels are essential for attacker operations. Art. 32 requires resilient processing systems and services to resist such external control. | 80% |
| T1041 | 1.0. Exfiltration over C2 channels directly violates data confidentiality. Art. 32 mandates measures, including encryption, to ensure the confidentiality of personal data. | 100% |
| T1486 | 1.0. Data encryption for impact (ransomware) directly compromises data availability. Art. 32(c) requires the ability to restore availability and access to personal data in a timely manner. | 100% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1032 | 1.0. 2-factor authentication significantly reduces unauthorized access risk. Art. 32 mandates appropriate technical measures to ensure a level of security appropriate to the risk. | 100% |
| M1031 | 0.9. Network segmentation limits the scope of breaches. Art. 32 requires resilient processing systems and services, which segmentation supports by containing threats. | 90% |
| M1040 | 1.0. Data encryption is explicitly required by Art. 32(a) for personal data, ensuring confidentiality. | 100% |
| M1047 | 0.9. Auditing provides essential data for regular testing and evaluation. Art. 32(d) requires a process for regularly assessing the effectiveness of security measures. | 90% |
| M1051 | 0.8. Application isolation enhances system resilience and integrity. Art. 32(b) requires measures to ensure the ongoing integrity and resilience of processing systems. | 80% |
| M1035 | 0.9. Limiting network access to resources directly supports confidentiality and integrity. Art. 32 requires appropriate technical measures to secure processing systems. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1.0. This weakness directly compromises data confidentiality. Art. 32(b) requires measures to ensure the ongoing confidentiality of personal data. | 100% |
| CWE-269 | 0.9. Improper privilege management enables unauthorized actions. Art. 32 mandates appropriate technical measures to ensure a level of security appropriate to the risk. | 90% |
| CWE-306 | 0.9. Missing authentication allows unauthorized access. Art. 32 requires appropriate technical measures to prevent unauthorized access to personal data. | 90% |
| CWE-311 | 1.0. Lack of encryption directly violates Art. 32(a), which explicitly requires the encryption of personal data. | 100% |
| CWE-732 | 0.9. Insecure permissions undermine confidentiality, integrity, and availability. Art. 32(b) requires measures to ensure these attributes for processing systems. | 90% |
| CWE-798 | 0.8. Hard-coded credentials weaken authentication mechanisms. Art. 32 requires appropriate technical measures to ensure a level of security appropriate to the risk. | 80% |
| CWE-400 | 0.8. Uncontrolled resource consumption can lead to denial of service. Art. 32(b) and (c) require ensuring availability and resilience, and timely restoration. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0122 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation