Active Directory compliance evidence for DORA, NIS2 and ENS Alto, generated automatically from proven attack paths.
ADscan ties every finding it proves in your Active Directory to the specific regulatory control it speaks to. The same report you show an attacker you can show an auditor, with the legal citation already attached.
Compliance mapping in ADscan is the practice of linking a proven AD finding to the specific article and control in DORA, NIS2, ENS Alto or ISO 27001:2022 that the finding satisfies or violates. ADscan generates this mapping automatically: after validating attack paths, it annotates each finding with the relevant legal text and remediation priority, producing audit-ready evidence from the same run.
Art 9.4
DORA Article 9.4 (elaborated in RTS EU 2024/1774) requires financial entities to identify, classify and document all ICT assets and to implement protection and prevention measures commensurate with their criticality. Active Directory is the identity backbone of every entity in scope, yet most compliance programmes rely on questionnaires and manual auditing that cannot prove whether a given control is actually effective. An unpatched delegation or a Kerberoastable service account is a technical violation that a checklist will never surface. Regulated entities need evidence of validated controls, not self-assessment.
DORA Regulation EU 2022/2554 — ICT risk management protection requirements, in force January 2025
- 01
Run the AD validation
ADscan collects the full identity attack surface and executes every supported path to Domain Admin, producing proven and theoretical findings across credential, certificate, delegation and vulnerability families.
- 02
Classify each finding by framework
Each finding is matched to the applicable control in DORA, NIS2, ENS Alto and ISO 27001:2022. The mapping is done at the finding level, not at the product level: the specific article that applies to a proven Kerberoasting path is different from the one that applies to a DCSync finding.
- 03
Attach legal citations
The report cites the exact article and paragraph: DORA Article 9.4 and its RTS (EU 2024/1774), NIS2 Article 21, ENS Alto operational controls, ISO 27001:2022 Annex A. No paraphrasing: the citation is the citation the auditor already knows.
- 04
Order remediation by compliance priority
Findings are ordered by a combination of exploited severity (proven before theoretical) and the compliance deadline imposed by the applicable control, so your team remediates what matters to the auditor first.
- 05
Produce the audit-ready report
One report covers the full finding narrative, the per-finding compliance table and the executive summary. The CISO can hand it to an auditor; the security team can hand it to a developer. No post-processing, no separate tool.
- 06
Re-run after remediation
On the Enterprise platform, scheduled re-validation confirms that remediated controls pass the next run. The new report replaces the previous one and shows compliance drift over time.
Per-finding DORA Article 9 mapping
Each proven AD finding is mapped to the specific DORA Article 9.4 requirement it violates or satisfies, with the RTS citation (EU 2024/1774). Not a blanket "this covers DORA" label: a finding-level annotation an auditor can read.
NIS2 Article 21 access-control coverage
NIS2 Article 21(2)(i) mandates authentication and privileged-access controls. ADscan maps every proven credential and delegation finding to this measure, with the directive citation and the concrete remediation that closes the gap.
ENS Alto identity controls
Spain's Esquema Nacional de Seguridad Alto tier requires continuous validation of access and identity controls. ADscan maps each finding to the relevant ENS control category and subcategory, making the report directly useful for entities under ENS certification scope.
ISO 27001:2022 Annex A alignment
Each finding is tagged with the relevant ISO 27001:2022 Annex A control (e.g. A.5.15 access control, A.8.2 privileged access rights). The mapping does not claim certification; it provides the evidence you need for your ISO audit.
Compliance-ordered remediation
Remediation steps are ordered by exploited severity combined with the compliance deadline of the applicable control. A proven path to Domain Admin that violates a DORA protection requirement appears before a theoretical finding with no hard deadline.
Single-report evidence package
The compliance mapping, the attack-path narrative, the per-step technical detail with MITRE technique IDs, and the executive summary are delivered in one report. No separate compliance tool required.
Mapped to the control your supervisor asks about.
This module is the compliance layer: it turns the technical output of ADscan's AD validation into regulatory evidence. DORA Article 9.4 requires protection of ICT assets and privileged accounts (RTS EU 2024/1774); NIS2 Article 21 requires authentication and access-control measures; ENS Alto requires continuous identity validation; ISO 27001:2022 Annex A maps to both. Each finding generated by any ADscan module is annotated with the applicable control at report generation time, with the legal citation, the current status (violated or satisfied), and the remediation priority. The same run that proves your exposure also produces the document your auditor asks for.
The open-source CLI prints the compliance mapping to stdout after each run: each finding is annotated with its DORA, NIS2, ENS and ISO control. This is part of the core engine, no license required.
Adds the board-ready PDF with the formatted compliance table, per-finding legal citations, executive compliance summary and remediation ordered by regulatory priority. Free in beta for consultancies and MSSPs. The Enterprise platform adds scheduled re-runs, compliance-drift tracking and the audit trail required for DORA Article 19 incident reporting.
Explore the rest of the platform.
Every ADscan report delivered in proof-of-value engagements has been used directly as compliance evidence in internal DORA and ENS audit reviews.
Questions, answered.
What does DORA require for Active Directory?
DORA Regulation EU 2022/2554, in force from January 2025, requires financial entities to identify, classify and document ICT assets (Article 8), implement protection and prevention measures for them (Article 9.4) and test ICT tools and systems (Article 24). Active Directory is the identity backbone of every in-scope entity: if an attacker can reach Domain Admin, every ICT asset is compromised. The Article 9.4 RTS (EU 2024/1774) elaborates specific requirements for privileged accounts, service credentials and access controls that map directly to the attack techniques ADscan validates.
How does ADscan map findings to DORA Article 9?
After validating each attack path, ADscan annotates the finding with the specific DORA Article 9.4 sub-requirement it relates to, using the RTS text (EU 2024/1774) as the authoritative citation. For example, a proven Kerberoasting path is mapped to the Article 9.4 requirement to protect service account credentials; a DCSync finding is mapped to the requirement to restrict and monitor privileged replication rights. The mapping is at the finding level, not the product level.
Does NIS2 require Active Directory validation?
NIS2 Directive 2022/0383 Article 21 requires entities to implement appropriate and proportionate technical measures for authentication and privileged-access management. A Kerberoastable service account or an account with unconstrained delegation is a direct violation of this requirement. ADscan validates these conditions and maps each finding to Article 21(2)(i), with the directive citation. NIS2 transposition deadlines vary by member state, but the obligation is in force across the EU.
What AD controls does ENS Alto mandate?
Spain's Esquema Nacional de Seguridad Alto tier (Real Decreto 311/2022) requires entities to implement continuous monitoring of access controls, privileged account management, and identity validation. The specific control categories map to ADscan's finding families: credential exposure (Kerberoasting, DCSync) maps to access-control measures; ADCS and delegation findings map to privilege-management controls; attack-path validation maps to the continuous testing requirement. ADscan includes the ENS control reference alongside each finding.
How do I generate DORA compliance evidence from my Active Directory?
Run ADscan against your Active Directory (the CLI is open-source and requires only a low-privilege domain account). ADscan collects the identity attack surface, validates every supported path and generates the compliance-mapped report. The report is the evidence: it includes the proven findings, the specific DORA articles they relate to, the legal citations, and the remediation steps. For the board-ready PDF and structured compliance table, the PRO tier is available free in beta for consultancies.
Can ADscan generate the evidence needed for a DORA Article 19 incident report?
DORA Article 19 sets the reporting timelines for major ICT-related incidents: initial notification within 4 hours, intermediate report within 24 hours, and final report within 72 hours. ADscan does not automate the incident-reporting workflow, but the audit trail and finding history generated by the Enterprise platform can provide the technical evidence of the initial attack path and the remediation steps taken, supporting the "root cause and impact" sections of the Article 19 report.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.