Kisco Systems

Kisco U

DORA compliance for EU financial entities running IBM i systems

Home : Kisco U : DORA compliance for EU financial entities running IBM i systems

DORA is a new European Union regulation called the “Digital Operational Resilience Act.” It was adopted in December 2022 and is enforceable as of January 17, 2025.

The full text of the regulation can be found here:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554

Referring to Article 1, Section 1 (p.23) – the stated purpose of the regulation is to govern the digital security of financial entities:

“In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.”

The definition of “financial entity” is found in Article 2 (p.24) and includes banks, credit agencies, payment providers, trading companies and more. 21 types of entities are specified.

IBM i security testing and assessment services as well as monitoring and data protection software from Kisco Systems can help regulated companies comply with DORA.

“a sound and comprehensive digital operational resilience testing programme”

Article 24 (p.45) suggests a base level testing requirement for all regulated entities:

“For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6”

Section 6 of the same article states that testing should be an annual activity.

Article 25 specifies “appropriate tests” to comply with the programme. These tests include assessments and penetration testing – services for IBM i that are provided by Kisco Systems.

“The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.”

Article 8, Section 7 (p.32) specifically calls out testing requirements for “legacy” systems, which can include IBM i:

“Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.”

Threat Led Penetration Testing (TLPT)

Larger entities are subject to an additional testing requirement. There is no clear definition of “larger” – the governing authorities will decide which entities will be subject to this higher level of compliance and the authorities will be involved in the testing process. The additional testing burden is called “Threat Led Penetration Testing” or LTPT. It is defined, in Article 3, section 17 (p.16) as:

“‘threat-led penetration testing (TLPT)’ means a framework that mimics the tactics, techniques and procedures of real- life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems”

A TLTP is a large-scale enterprise test. As such, the testing program could include IBM i security services from Kisco Systems, including pen tests and security assessments.

More information about TLTP:

Detection and Data Protection:

Article 10 (p.33) points to a security monitoring requirement that can be satisfied with Kisco Systems products iEventMonitor, SafeNet and iSecMap:

“Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.”

Article 10 goes on to require the implementation of multiple layers of defense, which on IBM i can include exit point monitoring and control, as well as Multi-factor authentication (MFA):

“The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.”

Kisco Systems’ SafeNet, kConnect and i2Pass products can help satisfy the requirements for implementing multiple layers of defense on IBM i.

About Kisco Systems

Kisco Systems is the easiest and most effective way to get and stay secure on IBM i.

IBM i security is a fabric of technologies and business practices encompassing everything from operating system management and disaster recovery to monitoring, data protection, audit and more. Kisco Systems is built to deliver complete solutions with best-in-class software and strategic partnerships, guided by forty years of IBM i expertise.