How to prepare your IBM z/OS mainframe infrastructure for full DORA compliance
The Digital Operational Resilience Act (DORA) is transforming the way European financial institutions and critical infrastructure organizations manage technology risk. Triggered by repeated large-scale cyber incidents and IT outages, DORA was introduced to ensure organizations remain resilient, even under severe digital disruption. While cloud and distributed systems often take center stage in discussions, mainframes—particularly IBM z/OS—are central to mission-critical operations and must be included in compliance strategies.
Mainframes power the majority of financial transactions, including payment flows, insurance claims, customer data management, and even state-level records. Failing to integrate mainframes into DORA compliance planning leaves significant regulatory, operational, and reputational gaps.
Organizations must therefore adopt a proactive approach that combines operational resilience, robust risk management, continuous monitoring, and automation. By embedding these practices into the mainframe environment, institutions can reduce compliance friction while strengthening security and operational efficiency.
Understanding DORA pillars relevant to mainframes
DORA outlines five pillars critical for operational resilience. Each pillar has specific implications for mainframe infrastructure, which organizations must address to ensure compliance.
ICT risk management
Effective ICT risk management requires that organizations actively monitor, evaluate, and mitigate threats specific to mainframes:
- Configuration monitoring: Track RACF, ACF2, and Top Secret configurations to detect unauthorized access, privilege escalation, or inactive accounts.
- Encryption coverage: Validate encryption of sensitive datasets and ensure robust cryptographic key management.
- Key Risk Indicators (KRIs): Monitor the number of unused privileged IDs, datasets without audit logging, and ratios of encrypted vs. unencrypted sensitive datasets.
By implementing these measures, institutions demonstrate to regulators that risks are not only identified but actively controlled and managed.
Incident reporting
DORA mandates 24-hour reporting for severe ICT incidents, including those impacting mainframes:
- SMF logs provide essential forensic evidence for incident classification and reporting.
- Automated log monitoring ensures that incidents are detected and reported in real time.
- Integration with the Security Operations Center (SOC) allows for coordinated response and accurate documentation.
Without structured monitoring and automation, meeting DORA’s tight reporting deadlines becomes almost impossible.
Digital operational resilience testing (DORT)
Mainframes must undergo Threat-Led Penetration Testing (TLPT):
- Simulate realistic cyberattacks targeting RACF, JES2, OMVS, and batch job processing.
- Validate operational resilience under stress and identify hidden vulnerabilities, such as dormant privileged accounts or misconfigured exits.
- Testing must be isolated from production to prevent disruption while maintaining authenticity of attack scenarios.
DORT ensures the mainframe can sustain critical business functions even under adverse conditions.
Third-party risk management
Third-party providers often manage aspects of mainframe operations. DORA requires:
- Documentation of all third-party components, including monitoring tools, exit routines, and security modules.
- Assessment of vendor patching, configuration, and security practices.
- Contracts mandating cooperation in audits and incident response.
- Recognition that the organization remains accountable, not the vendor.
This shifts the focus from outsourcing risk to proactive vendor oversight.
Information sharing
DORA emphasizes industry-wide learning:
- Lessons learned from mainframe incidents must be shared across the EU financial ecosystem.
- This ensures broader operational resilience, helping prevent repeat incidents and improving overall cybersecurity posture.
Conduct a baseline security and compliance audit
A baseline audit establishes the starting point for mainframe compliance, revealing gaps and opportunities for remediation.
Review mainframe configurations
A thorough review of mainframe configurations is essential to ensure robust security and DORA compliance. This includes evaluating RACF, ACF2, and Top Secret setups to detect excessive privileges, dormant accounts, and any misconfigurations that could expose the system to unauthorized access. By systematically analyzing user roles, permissions, and access patterns, organizations can identify potential points of abuse and implement corrective measures, thereby reducing the risk of insider threats and maintaining the integrity of mission-critical operations.
Assess logging and monitoring
Effective logging and monitoring are critical for both operational resilience and regulatory compliance. SMF records—particularly types 80, 230, and 42—must be evaluated for completeness, accuracy, and retention. Dataset-level logging should be implemented to track all modifications to critical data, ensuring a clear audit trail of user actions and system changes. Integrating automated log aggregation and analysis not only facilitates rapid detection of anomalies but also supports forensic readiness, providing a reliable evidentiary basis for incident reporting under DORA.
Identify critical assets
Identifying and classifying critical assets within the mainframe environment allows organizations to focus security efforts where they matter most. This process involves mapping datasets, applications, and other mission-critical resources that underpin essential business functions, such as payment processing, insurance claims, and customer data management. By understanding the importance and sensitivity of each asset, organizations can prioritize remediation, enhance monitoring, and ensure that risk mitigation strategies are aligned with the potential impact on operations and regulatory obligations.
Map controls against standards
Once configurations, logging, and critical assets are assessed, it is crucial to map existing controls against recognized security frameworks, such as ISO 27001, STIG, and CIS Benchmarks. This comparison identifies gaps, including datasets with universal access, missing audit trails, or inconsistent encryption coverage, which could compromise compliance and security. Addressing these gaps through targeted policies, control adjustments, and continuous monitoring ensures that the mainframe environment aligns with both best practices and the stringent requirements mandated by DORA.
Strengthen vulnerability and access management
Vulnerability management is the cornerstone of mainframe security:
- Conduct regular scans for code, configuration, and open-source vulnerabilities.
- Implement multi-factor authentication, robust access controls, and segregation of duties.
- Validate encryption coverage for sensitive datasets and communications.
- Perform annual penetration testing, emphasizing RACF, JES2, OMVS, and privileged accounts.
This ensures proactive mitigation of both technical and operational risks.
Implement continuous monitoring and automated auditing
Continuous auditing is required to demonstrate ongoing control effectiveness under DORA.
Weekly configuration and access reviews
- Track privileged users (SPECIAL, OPERATIONS, AUDITOR) across LPARs.
- Detect anomalies in dataset access or RACF rule changes in real time.
- Continuous monitoring ensures rapid identification of risks.
Integration with SOC and GRC
- Feed mainframe alerts into enterprise SOC dashboards.
- Generate automated, time-stamped audit evidence ready for regulator review.
- Reduce audit preparation time and maintain enterprise-level compliance alignment.
Benefits over manual approaches
Automated monitoring improves compliance and efficiency compared to traditional manual audits. It provides real-time anomaly detection, time-stamped evidence, and integrated reporting, reducing human effort and increasing confidence in meeting regulatory requirements like DORA.
| Aspect | Automated Monitoring | Manual Audits |
|---|---|---|
| Audit frequency | Continuous, weekly | Point-in-time, annual |
| Evidence | Time-stamped, regulator-ready | Manual collection, high effort |
| Detection | Real-time anomalies | Delayed detection |
| Reporting | Integrated dashboards | Fragmented reporting |
| Compliance confidence | High | Moderate |
Prepare for resilience and penetration testing
DORA mandates mainframe resilience validation:
- Identify infrastructure boundaries and external system connections.
- Simulate attack scenarios: TSO brute-force, RACF privilege escalation, lateral movement via batch jobs.
- Engage ethical hackers with z/OS specialization.
- Test in isolated or controlled environments to avoid production disruption.
- Addressing findings like dormant privileged accounts or datasets with universal access strengthens operational resilience.
Manage third-party risk in mainframe context
- Document all integrated components: monitoring tools, security modules, exit routines.
- Evaluate vendor patching, configuration, and security practices.
- Contracts must enforce cooperation in compliance audits and incident response.
- Maintain organizational accountability, even for outsourced services.
Generate and maintain compliance evidence
Regulators require continuous, reproducible, and verifiable evidence:
- Archive weekly audit results for all LPARs.
- Maintain dashboards tracking compliance trends over time.
- Provide time-stamped, regulator-ready reports for inspections.
- Automate evidence generation using Bsecure DataPASS to reduce operational effort.
Mainframe compliance checklist
Automated monitoring improves compliance and efficiency compared to traditional manual audits. It provides real-time anomaly detection, time-stamped evidence, and integrated reporting, reducing human effort and increasing confidence in meeting regulatory requirements like DORA.
| Pillar | Key Actions | Notes |
|---|---|---|
| Gap Analysis | Evaluate current compliance, map mainframe controls | Use DataPASS Flash1 |
| Vulnerability & Access | Scans, MFA, encryption validation, penetration testing | Emphasize RACF, JES2, OMVS |
| Incident Response & Recovery | Automated playbooks, SOC integration, RTO-compliant recovery | Continuous readiness |
| Resilience Testing | TLPT, stress tests, continuity simulations | Controlled, isolated environments |
| Third-Party Governance | Document components, evaluate vendors, enforce contracts | Maintain organizational accountability |
| Evidence & Reporting | Dashboards, automated reports, time-stamped evidence | Continuous compliance documentation |
| Compliance Culture | Training for personnel and executives, management support | Ensure sustainable adherence |
Achieving proactive DORA compliance
DORA compliance is more than a regulatory obligation; it is a strategic advantage. By combining baseline audits, continuous monitoring, automated evidence, penetration testing, and third-party oversight, organizations transition from reactive to proactive compliance.
Mainframes, managed correctly, become resilient, secure, and fully DORA-compliant assets, supporting operational resilience, regulatory assurance, and competitive advantage.
Start now. Audit once. Comply continuously.