When we read headlines about multimillion-dollar fines for negligent data management, it is easy to think, "That won't happen to us." However, recent cases in the US retail sector, such as class-action lawsuits against giants like Walmart or security issues at chains like LensCrafters, have served as a wake-up call worldwide. Although these situations often occur under regulations like the California CCPA, the lesson for Europe and global business is crystal clear: data management is no longer just a technical issue; it is an existential business risk. If we translate this to our current legal framework—including the General Data Protection Regulation (GDPR), the NIS2 Directive, and the DORA Regulation 2022—the scenario becomes even more critical.

From Administrative Fines to Criminal Liability

We are no longer just talking about losing a percentage of global annual turnover, which is already devastating. With the enforcement of the NIS2 Directive, liability is now directly in the boardroom. Executives and the board of directors can face personal and even criminal consequences if negligence in cybersecurity oversight is proven. For a CISO or compliance officer, this changes the game. The question is no longer "how much will the fine be?", but rather "who will answer to the law?". This shift is as significant as the introduction of Sarbanes-Oxley standards (SOX) was for financial reporting.

The Mainframe: The Forgotten Giant in the Room

Here lies the great paradox. Many large retail, banking, and insurance organizations protect their perimeters with next-generation firewalls but neglect the heart of their business: the mainframe. There are still those who view the mainframe as a legacy box. In reality, it is where the most critical data resides (credit card data under the Payment Card Industry Data Security Standard (PCI DSS), personal data under the GDPR, etc.). If we do not apply strict hardening to the LPARs and the z operating system (z/OS), we are leaving the safe open. Achieving PCI DSS compliance requires more than just checking boxes. It involves deep scrutiny, akin to ethical hacking, to ensure the z/OS environment is not the weakest link in your PCI data security standard strategy.

The Need to See to Protect: SIEM and SOC

Compliance with regulations such as GDPR or PCI DSS 12 requirements requires the ability to detect and notify of breaches rapidly. This is impossible if your mainframe environment is a black box to the security team. Integrating mainframe logs into a SIEM (Security Information and Event Management) is mandatory. Understanding the correlation of events in real-time allows the SOC cybersecurity team to detect lateral movements or data exfiltration before they become a class-action lawsuit.

DATAPASS: Cyclical Auditing vs. The "Snapshot"

Traditional audits, often done for ISO 27001 certification or PCI DSS certification, typically take a "snapshot" once a year. But attackers work every day. To avoid shocks like those in the retail sector, it is necessary to increase the frequency and depth of controls. At Bsecure, we advocate for continuous improvement systems like DATAPASS. This cyclical audit service goes beyond a simple stamp of approval or a basic PCI compliance certification cost analysis.
  • It continuously analyzes the security state of the mainframe.
  • It detects deviations from PCI DSSGDPR, or DORA in real time.
  • It enables proactive remediation of vulnerabilities rather than reactive fixes.

Conclusion

Ignoring PCI regulatory requirements, GDPR, or DORA's operational resilience requirements in your central systems is playing Russian roulette with the company's reputation and its executives' freedom. The cost of compliance—whether it’s ISO 27001 certification for individuals training or advanced PCI penetration testing—will always be infinitely lower than the cost of a security breach.