Is Your Mainframe the SOC’s Blind Spot? NIS2 Directive Compliance and the Reality of z/OS Hardening

Let’s be honest. When you walk into the SOC (Security Operations Center) of a major financial institution or insurance company, the screens are impressive. Heat maps, real-time alerts, analysts monitoring every endpoint... But have you ever wondered if something is missing from that picture? Often, the most critical asset, where 80% of corporate data resides, is conspicuous by its absence. Yes, we are talking about the Mainframe. For years, there has been a false belief that the z operating system (z/OS) is invulnerable by design. This impregnable black box doesn’t need the same vigilance as the cloud or distributed servers. They called it "security by obscurity." But reality is stubborn, and today, that mindset is a one-way ticket to regulatory and reputational disaster.

The Elephant in the CISO’s Room

For many CISOs, the mainframe remains a great unknown. They know what it is—the company's massive data processing engine—but they are often unaware of its actual security posture. Here is the problem: if your SIEM (Security Information and Event Management) is not ingesting and correlating mainframe security logs (such as SMF or RACF records), you have a major blind spot. If you leave the mainframe out, your security brain is operating with a partial lobotomy. An attacker could be escalating privileges in your z/OS environment, and your security team wouldn't know until it was too late. This lack of visibility is critical not just for overall security, but also for specific frameworks such as the Payment Card Industry Data Security Standard (PCI DSS). Achieving PCI DSS compliance requires strict monitoring. If you are processing credit card data on a mainframe but not monitoring it in real-time, you are failing the PCI 12 requirements.

NIS2 and DORA: No More Excuses

The regulatory landscape has changed radically. It is no longer just a matter of "best practices"; it is the law. The NIS2 Directive and the DORA Regulation 2022 (Digital Operational Resilience Act) have arrived to raise the bar. NIS2 requires rigorous and rapid incident notification. But how are you going to report an incident on the mainframe if you aren't even monitoring it? On the other hand, DORA focuses on the digital operational resilience of the financial sector. If your recovery and detection strategy does not explicitly cover the mainframe environment, you are not resilient; you are vulnerable. And let's not forget the GDPR. A security breach on the mainframe usually exposes millions of customer records. Data protection does not understand platforms; it understands responsibility. Furthermore, for those managing international standards, such as Basel III, Solvency II, or Sarbanes-Oxley (SOX), alignment is impossible without full control over your core data.

From "Snapshot" to Continuous Improvement: The Role of DATAPASS

Traditionally, mainframe security was validated with an annual audit. Someone would come in, take a "snapshot" of the system, and deliver a 300-page PDF report that no one read. The next day, the system changed, and the report became obsolete. This approach is inefficient and increases the company's hidden ISO 27001 certification costs, as manual remediation is expensive and slow. This model no longer works. The complexity of current threats requires moving from static auditing to cyclical auditing. This is where the need for services like DATAPASS comes into play. It is not about doing a one-off check, but implementing a system of continuous improvement. DATAPASS allows you to audit the security status of your infrastructure recursively and automatically. It detects configuration deviations, z/OS vulnerabilities, or hardening weaknesses before they become a compliance issue or fail a PCI DSS certification audit.

Hunting the Invisible: FIM and Threat Hunting vs. Real Threats

Reactive security is no longer enough. That is why DATAPASS incorporates critical proactive functionalities such as FIM (File Integrity Monitoring) and advanced Threat Hunting capabilities. These tools are designed to detect subtle changes and anomalous behaviors that are often overlooked by traditional controls but are the prelude to a major attack. History has taught us that the mainframe is not invulnerable. Serious incidents, such as those carried out back in the day by members of the Pirate Bay hacking group (like the infamous Logica/Nordea breach) against major technology and banking providers, demonstrated that with the right credentials and by exploiting careless configurations, one can access the heart of the financial system. Our service doesn't just seek "paper compliance"; it seeks to identify those backdoors or integrity alterations in critical libraries that a sophisticated attacker would use. Integrating this intelligence into your cybersecurity strategy—combining ethical hacking principles with automated oversight—is the only way to ensure your z/OS stops being the blind spot and becomes the most secure bastion of your organization. By Ángel Gómez, CEO of Bsecure – The Mainframe & Security Company