Search Rocket site

What New Regulation and DORA Mean for Mainframe Security

John Crossno

October 30, 2023

Digital transformation initiatives reshape and redefine the way businesses operate, ultimately creating greater efficiency and optimization. But innovation also invites security risks and IT vulnerabilities. For well over a decade, governments have been enacting regulations to ensure companies are keeping information, including the information they have on their customers, safe.

Earlier this year, a new piece of regulation in the European Union (EU) was introduced to ensure that financial services firms have the necessary safeguards in place to mitigate security risks. This regulation, known as the Digital Operational Resilience Act (DORA), will have major implications that extend far beyond financial services, meaning that businesses across the globe will need to ensure they have the right tools to maintain compliance moving forward.

This also has consequences for the mainframe. Let’s explore what it all means—and what organizations can do to ensure they’re ready for DORA.

A Closer Look at DORA

DORA is a major new regulation that financial services firms (think banks, insurance companies, etc.) in the EU must comply with by January 2025. DORA is intended to build digital operational resilience among financial firms by laying out a set of guidance for detection, protection, recovery, containment, and repair capabilities related to Information and Communications Technology (ICT) incidents. DORA means that businesses are now held accountable for their entire IT environment, from on-prem storage to cloud, hybrid cloud, and everything in between. No matter the format, firms need to be able to show they are capable of handling an ICT-related security incident or disaster.

In an effort to establish a consistent and common level of digital operational resilience among financial firms, DORA breaks down five specific focus areas as it relates to the security of network and information systems:

  • ICT risk management – This guidance establishes a standard framework for what organizations should do in response to an ICT security incident.
  • Reporting of major ICT-related incidents – Regulation defines how organizations will need to classify and report ICT-related security incidents moving forward.
  • Digital operational resilience testing – Sets out guidance for testing of existing recovery strategies to identify potential vulnerabilities.
  • Information and intelligence sharing – Requires businesses to engage in information sharing around cyber threats and vulnerabilities as they’re identified.
  • Management of ICT third-party risk – Tasks firms with ensuring any third-party vendor is aligned with its security and digital resilience capabilities.

DORA and the Mainframe

Although DORA is intended for the financial system, it has massive implications far beyond that sector. DORA extends its requirements to any third-party provider of ICT services for financial services organizations, meaning companies worldwide, whether they’re a bank or IT service provider, need to maintain compliance as well. The data that DORA intends to protect, more often than not, exists on the mainframe, meaning they too will need to be ready to meet these new requirements.

It’s not enough to simply be reactive to security incidents or disasters with recovery capabilities. The focus for businesses now needs to turn inward and look closer at where internal vulnerabilities lie–in order to avoid disaster.

As businesses navigate changes under DORA, it’s crucial they find the right security solutions and partners to build digital operational resilience. One of the most important parts of building that digital resiliency centers around how well a business can recover from a security breach or incident. Rocket Software’s Data Recovery Manager makes it possible to centralize backup and recovery of critical application data and surgically restore data from tapes. The solution also includes Data Recovery for Dell zDP, which gives administrators even more control, enabling granular, point-in-time recovery.

Recovery capabilities alone are not enough to come into compliance with DORA. Businesses will need to have a heightened level of awareness when it comes to vulnerabilities internally. Even if a business gets its systems recovered quickly, the vulnerabilities that made it possible to breach may remain in the newly recovered data. Looking past the recovery component of DORA, the regulation’s focus on third-party vendors will also have an impact on the burgeoning use of open-source software. Working with a trusted, known, source of this software will be a key part of compliance moving forward.

Businesses will need to take a much closer look at the IT environments they utilize. Having acquired Key Resources, Inc. earlier this year, Rocket Software brings even more security expertise to its customers, helping to implement critical tools like z/Assure Vulnerability Analysis Program for vulnerability scanning at the z/OS operating system layer in addition to existing solutions that support areas like multifactor authentication (MFA). Rocket Software’s domain expertise provides IT leaders with the resources necessary to get proactive about spotting vulnerabilities on the mainframe and ensuring they are dealt with before a breach can occur.

Learn more about how Rocket Software can help you modernize without disruption.

Related posts


The Importance of PCI DSS Vulnerability Management for z/OS

Separation of Duties is a Critical Part of your Modern Mainframe Security Strategy

Why You Need a Mainframe Security Architect