adscanpro.com / dora-compliance
What does DORA require for Active Directory security?
DORA Articles 6, 9, 10, 11, and 13 create binding obligations on Active Directory security: asset inventory, privileged identity management, continuous monitoring, incident response, and threat-led penetration testing.
regulatory obligations
DORA articles that directly govern Active Directory
DORA does not mention Active Directory by name. It does not need to: each article covers a domain that makes AD the most relevant ICT asset for financial entity compliance.
| Article | Obligation | AD-Specific Requirement | Evidence for Supervisor |
|---|---|---|---|
| Art. 6 ICT Risk Management | Identify and inventory all critical ICT assets | AD must be in the critical asset inventory with documented controls and dependencies. Topology map, trust relationships, and dependency chain to banking systems. | Asset inventory with AD topology map |
| Art. 9 Protection & Prevention | Access controls, privileged identity management | Inventory of Domain Admins/Enterprise Admins, periodic privilege review, separation of admin accounts. Controls against escalation vectors that move from unprivileged user to domain administrator. | Privileged account register with review log |
| Art. 10 Detection | Continuous monitoring, anomaly detection | Real-time detection of unusual logons, permission changes on critical objects, domain replication requests (DCSync), and Kerberos configuration modifications. SIEM rule evidence required. | SIEM rule list + evidence of AD event correlation |
| Art. 11 Response & Recovery | Incident response covering critical systems | AD compromise scenario in IR plan: krbtgt hash extraction, hidden admin accounts, mass credential dump. Runbook with concrete containment and recovery steps for full domain compromise. | AD compromise runbook with containment steps |
| Art. 13 TLPT Resilience Testing | Threat-led penetration testing for significant entities | AD is a priority target in TLPT scope. Kerberoasting, ADCS ESC1/ESC8, DCSync, and unconstrained delegation are expected test vectors for any TLPT team engaging a financial entity. | TLPT report with AD findings and remediation evidence |
tlpt scope
AD attack vectors most relevant to DORA
The same vectors that national CERTs detect in financial sector organizations are the ones TLPT teams will look for under Art. 13. Knowing them before the test is the difference between controlling the outcome and discovering the problems at the worst possible moment.
Kerberoasting
Any domain user can request a Kerberos service ticket for an account with a registered SPN. If that account has a weak password (common in legacy service accounts), the ticket can be cracked offline. Financial entities with long-lived AD environments frequently have service accounts with registered SPNs and never-expiring passwords.
Required evidence
Inventory of accounts with SPNs, password policy for service accounts, technical verification that no account with access to critical systems has a crackable password.
ADCS ESC1 / ESC8
Misconfigurations in Active Directory Certificate Services templates allow requesting certificates on behalf of other identities, including domain administrators. ESC1 allows impersonating any domain user. ESC8 allows relaying NTLM authentication to the certificate service. A fraudulent certificate can remain valid for years after a compromise.
Required evidence
Review of all certificate templates, verification of ESC1 through ESC16 configurations, certificate issuance log.
DCSync
An account with replication permissions on the domain partition can simulate a domain controller and request full replication, including all NTLM hashes. The attacker obtains the krbtgt hash, enabling Golden Tickets with indefinite validity. Recovery requires krbtgt rotation and full directory review.
Required evidence
ACL audit on the domain root, inventory of accounts with replication permissions, detection rule for replication events from non-DC sources.
Unconstrained Delegation
A machine with unconstrained delegation stores in memory the TGTs of every user who authenticates against it. An attacker with local access to that machine can reuse those tickets to impersonate any domain user, including domain administrators.
Required evidence
Inventory of machines and accounts with delegation configured, business justification and compensating controls for each case.
supervisor preparation
What evidence the supervisor requires
National competent authorities (Banco de España, CNMV, and DGSFP in Spain) will not ask for generic documents. They will ask for concrete technical evidence.
Privileged account inventory
Up-to-date, with the date of last review and business justification for each account with elevated access. Domain Admins, Enterprise Admins, Backup Operators, accounts with DCSync rights.
AD change log
Who modified what, when, and with what authorization: consumed and stored in a way that cannot be altered. Demonstrates continuous monitoring per Art. 10.
Periodic technical test results
Vectors detected, severity (CVSS), date of detection, and remediation status. The distinction: 'we have a policy' versus 'we have technically verified no account with an SPN and a crackable password exists.'
Remediation plan with committed dates
For each open technical finding. Priority ordered by real impact. Maps to the specific DORA articles each finding violates. Required for Art. 6 and Art. 9 compliance demonstrations.
ADscan generates all of this automatically in a single analysis session. The report includes explicit mapping of each finding to the corresponding DORA articles, detected attack paths with CVSS scores, and a remediation roadmap prioritized by real impact. The DORA report is delivered the same day as the assessment.
frequently asked
DORA Active Directory questions
Does DORA explicitly mention Active Directory?
No. DORA does not mention Active Directory by name. However, Articles 6, 9, 10, 11, and 13 directly govern the security domains that make Active Directory the most relevant ICT asset for compliance in any financial entity. Article 6 requires inventorying critical ICT assets: AD qualifies unambiguously as the authentication backbone for all banking systems. Articles 9 and 10 require access controls and continuous monitoring on those assets. Article 13 requires threat-led penetration testing (TLPT) of critical systems, and AD is a standard priority target in any TLPT scope.
What evidence do supervisors actually require for DORA Art. 9 on Active Directory?
National competent authorities (Banco de España, CNMV, and DGSFP in Spain) do not ask for generic security policies. For Article 9, they require a privileged account inventory (up-to-date, with last review date and business justification for each elevated account), technical evidence of periodic privilege review, and documentation of controls against known escalation techniques. The distinction regulators draw is between 'we have a password policy for service accounts' versus 'we have technically verified that no account with an SPN and a crackable password exists in our environment.'
Which financial entities are required to conduct TLPT under DORA Art. 13?
DORA Art. 13 applies to entities designated as 'significant' by their national competent authority. The criteria include systemic importance, cross-border activity, and size thresholds. In practice, the largest banks, insurance groups, and investment firms in each EU member state are in scope. For entities in scope, TLPT must be conducted by independent external teams at least every three years, with Active Directory as a standard priority target due to its role as the central authentication and authorization infrastructure.
for financial entities under DORA
Prepare your AD evidence before the supervisor asks.
Free 1–2h live session via VPN. No agents. Full DORA/ENS Alto/ISO 27001 report delivered the same day. Evidence package ready for your NCA.