Get Compliments On Your Compliance.

DORA establishes a comprehensive framework to ensure the operational resilience of financial institutions and their critical service providers across the European Union. It became fully applicable in January 2025, making compliance an immediate priority.

Unlike general cybersecurity guidance, DORA is prescriptive. It mandates specific capabilities across ICT risk management, incident reporting, resilience testing, and third-party oversight — and it applies not only to financial institutions but also to their critical technology providers.

Key DORA articles and how MainTegrity CSF addresses them:

• Articles 5–16 — ICT Risk Management: Organizations must identify, protect, detect, respond, and recover from ICT threats. CSF provides continuous integrity monitoring across the full lifecycle — FIM+ detects unauthorized changes in real time, Early Warning catches reconnaissance and privilege escalation, and Restore Assist enables rapid, surgical recovery.
• Article 17 — ICT Incident Reporting: DORA requires organizations to classify, report, and remediate ICT incidents with specific timelines. FIM+ forensics provide immediate scope, timing, and attribution data — the exactly what regulators ask for.
• Articles 24–27 — Digital Resilience Testing: Advanced testing including threat-led penetration testing (TLPT) must validate detection and response capabilities. CSF's track record — Pentesters 0, CSF 3 — demonstrates that skilled penetration testers have not breached a CSF-protected system.
• Articles 28–44 — Third-Party Oversight: Critical ICT providers face direct regulatory scrutiny. Supply Chain validates vendor-provided software against known good states before deployment, supporting separation of duties requirements.

Why this matters for mainframes: DORA doesn't exempt mainframes. If financial transactions run on z/OS — and they often do — the mainframe is an ICT system subject to all DORA requirements. Most organizations have robust detection on distributed systems but significant gaps on the mainframe. CSF closes that gap.

If your mainframe handles credit or debit card information, you are subject to PCI DSS. Backed by Visa, Mastercard, American Express, and most other major financial industry players, PCI DSS applies to every computer processing debit or credit card information — mainframes included.

IBM states that 87% of credit card transactions and 29 billion ATM transactions are processed on z/OS every year. PCI DSS V4 is now in force, and requirements have become stricter, not looser.

Without integrity monitoring technology, you do not comply. Period.

Both DSS V3.2.1 and V4 explicitly require File Integrity Monitoring to meet Controls 10.5.5 and 11.5:

• Control 10.5.5 asks: "Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts?"
• Control 11.5 asks: "Is a change-detection mechanism deployed to detect unauthorized modification of critical system files, configuration files, or content files?"

These are not recommendations — they are stated requirements. Some organizations attempt to use "compensating controls" as substitutes, but these must always be defended during audits, lower compliance scores, and face even more scrutiny under V4. With no generally accepted substitute for FIM processing on z/OS, mainframes that need to comply need FIM+.

Executive liability: PCI DSS Part 3b requires the personal signature of your CIO, CFO, or CEO attesting that all compliance requirements are met. When that attestation asks whether file integrity monitoring is deployed, the executive signing is personally certifying the answer. If FIM isn't actually in place on the mainframe, that signature becomes a significant personal liability.

FIM+ eliminates the compliance burden:

• Produces, files, and distributes required weekly compliance reports automatically
• Eliminates the need for compensating controls entirely — direct compliance with 10.5.5 and 11.5
• Shortens PCI audits by providing clean, automated evidence
• Improves compliance scores while simultaneously improving security

Bottom line: MainTegrity is recognized as a thought leader in the PCI DSS space — selected to address the North American PCI conference on mainframe ransomware avoidance. FIM+ eliminates unnecessary manual effort, improves compliance scores, has better reporting, and shortens audits, all while improving your cyber security.

A cornerstone of FIM+ functionality is the NIST Cybersecurity Framework — specifically all five pillars: Identify, Protect, Detect, Respond, and Recover.

FIM+ implements nearly all NIST CSF recommendations in these areas. Every item marked with * indicates where FIM+ provides stronger controls than traditional tools. Items marked with # indicate advanced techniques that extend beyond the current CSF standard.

• IDENTIFY — Asset Management*, Business Environment, Governance*, Risk Assessment, Risk Management Strategy
• PROTECT — Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance*, Protective Technology*
• DETECT — Anomalies and Events, Security*, Continuous Monitoring*, Detection Processes*, Backup Verify*#, Whitelist/Baselines*#
• RESPOND — Response Planning*, Communications*, Analysis*, Mitigation/Improvements*, Content Comparison*#
• RECOVER— Recovery Planning*, Improvements*, Communications*, Software Recovery*#, Verify Restore*#, Immutable Backups*#

However, FIM+ goes further. MainTegrity expects many of these advanced extensions to become requirements in CSF V2, which is in the review process. FIM+ provides not only compliance with the current standard but also a degree of future-proofing.

FIM+ CSF Extensions — capabilities beyond current NIST CSF:

1. Whitelists (Baselines) — the first continuously up-to-date whitelist on z/OS, as suggested by recent NIST bulletins. There has never before been such a capability on z/OS, which historically left organizations unable to detect compromised components before damage occurred.
2. Verify Backup (Hash) — cryptographic verification of backup integrity
3. Ransom Early Warning — detect encryption attacks in progress
4. Real-time Alerts — instant notification of security events
5. Automated Forensics — GUI-based investigation with organized evidence
6. Policy-Driven Recovery — customer-specific response protocols
7. Verify Restored Systems — post-recovery integrity validation
8. Audit Evidence Reports — automated compliance documentation
9. Content Comparison — side-by-side before/after analysis

Standards Convergence: MainTegrity has found a high degree of convergence between the various security standards, many of them with NIST CSF at their heart. A strong NIST CSF implementation on the mainframe creates a multiplier effect across your entire compliance portfolio — PCI DSS, DORA, FISMA, ISO 27001, and SOX all build on NIST foundations.

Better Security = Better Compliance.

Compliance results in better security for your IBM mainframe to protect against increasingly sophisticated attacks. And better security always results in better compliance. The two reinforce each other.

GDPR is an outcome-based standard. Ignore it at your peril.

The General Data Protection Regulation mandates that organizations implement appropriate technical and organizational measures to ensure the security of personal data. It applies to any organization processing personal data of EU residents, regardless of where the organization is based.

Unlike prescriptive standards, GDPR focuses on achieving specific outcomes. Article 43 suggests compliance groups — PCI, NIST, and ISO 27001 — as foundations for demonstrating appropriate technical measures. Organizations already aligned to these frameworks through CSF have a strong foundation for GDPR compliance.

What sets GDPR apart is enforcement. Penalties reach up to 4% of total worldwide annual revenue. European data regulators issued a record €2.92 billion in fines in a single year, up 168% year-over-year, with Meta the hardest hit (source: Forbes).

Companies affected:

• Amazon — €746 million ($877 million)
• Facebook/Meta — €265 million ($275 million)
• WhatsApp — €225 million ($255 million)
• Google Ireland — €90 million ($102 million)
• British Airways — €22 million ($26 million)

The British Airways fine is particularly relevant because it resulted from a cyber attack — not a data handling policy violation. Regulators apply severe penalties for inadequate technical security measures, not just willful misuse of data.

How MainTegrity CSF addresses GDPR:

• Article 32 — Security of Processing: FIM+ continuously monitors mainframe datasets for unauthorized changes to personal data. When modifications occur, FIM+ detects them immediately through cryptographic signature comparison, generates alerts, and records the event with full attribution — providing the "appropriate technical measures" evidence GDPR requires.
• Article 33 — 72-Hour Breach Notification: When a breach occurs, GDPR gives you 72 hours to notify the supervisory authority with specifics — the nature of the breach, categories of data subjects affected, likely consequences, and measures taken. FIM+ forensics provide this information immediately, not after weeks of manual investigation.
• Article 32 — Recovery Capability: GDPR requires the ability to restore availability and access to personal data in a timely manner. CSF's Restore Assist enables rapid recovery of both data and software infrastructure — because recovering data alone isn't enough. Without the software infrastructure, recovery can take weeks.

NetWatch monitors network connections to detect data exfiltration attempts, providing protection against unauthorized transfer of personal data outside the organization.

References: gdpr-info.eu | ISO 27001 Information Security