Cybersecurity expectations have changed. Regulatory bodies are no longer just asking organizations to protect data – they’re demanding measurable resilience, accountability, and the ability to adapt to evolving threats. The release of PCI DSS 4.0 and the enforcement of the Digital Operational Resilience Act (DORA) are two clear signals that compliance is no longer enough. These frameworks encourage businesses to adopt a proactive and deeply integrated security posture, one that is not just reviewed annually during audit season. And with the average cost of a data breach rising by 10% in 2024 alone, the financial stakes of falling behind are growing more severe by the day.
For companies that rely on mission-critical infrastructure, such as mainframes, these new expectations are even more urgent. Mainframes power core systems in industries like financial services, healthcare, and government, processing millions of sensitive transactions daily. Yet, they’re often overlooked in broader enterprise security strategies. That separation is no longer viable, as data flows between the mainframe and forward-facing apps; it is now difficult to maintain any form of segregation. Meeting the demands of PCI DSS 4.0 and DORA requires unifying risk management practices across every layer of the business, from cloud to on-prem to mainframe.
Understanding PCI DSS 4.0 and DORA
PCI DSS 4.0, finalized in March 2022 and going into full effect on March 31, 2025, introduces a more flexible, outcome-based approach to securing payment data. Rather than relying on a rigid set of prescriptive controls, the standard enables organizations to tailor their security measures to their specific risk environments. Key changes include expanded multi-factor authentication requirements, increased emphasis on continuous risk assessment, and better integration of security into business-as-usual activities. This flexibility is designed to help organizations build security into their operations more holistically and sustainably.
DORA, enacted by the European Union and effective as of January 17, 2025, focuses specifically on the digital operational resilience of financial institutions and their third-party ICT providers. Its goal is to ensure that these organizations can withstand, respond to, and recover from disruptions to information and communication technology. DORA mandates comprehensive risk management frameworks, robust incident reporting, regular resilience testing, and strict governance over third-party services. It extends beyond traditional IT security to encompass organizational and operational resilience, acknowledging that cyber threats can impact every facet of a digital enterprise.
The Shift from Compliance to Resilience
What sets these regulations apart is the recognition that cybersecurity cannot be reduced to a one-time exercise. Compliance must be continuous and embedded in the organization’s culture and operations. DORA and PCI DSS 4.0 encourage businesses to adopt an iterative approach to security – one that anticipates change, adapts to evolving threats, and prioritizes resilience as much as prevention. This marks a fundamental shift in mindset: from meeting regulatory minimums to ensuring operational continuity in the face of disruption.
Organizations that treat compliance as an annual event risk falling behind. Cyber threats now evolve into actual intrusion way too quickly for static defenses to be effective. A more strategic approach to compliance, one rooted in adaptability and resilience, is essential for modern enterprises to safeguard not only data but also trust, brand reputation, and long-term success.
Integrating Mainframe Systems into Modern Security Frameworks
Despite their critical role, mainframe systems are frequently siloed from modern cybersecurity frameworks. Yet with 91% of mainframe organizations reporting a data breach in the last five years, it’s clear that even the most resilient infrastructure needs continuous attention. Compounding this concern, research indicates that only 28% of IT leaders are highly confident in their ability to address mainframe vulnerabilities.
As organizations modernize their risk management strategies in response to PCI DSS 4.0 and DORA, mainframes must be fully integrated into those efforts. This includes extending multi-factor authentication to mainframe access points, incorporating mainframe event logs into enterprise-wide SIEM systems, applying centralized vulnerability scanning, and ensuring encrypted communications across all environments. Don't wait for an incident to expose the gaps – unifying these systems needs to happen before the threat arrives.
Building a Scalable Risk Management Strategy
Both regulations call for organizations to adopt scalable, repeatable risk management practices that align with evolving threats. The five core pillars of such a strategy include:
• Vulnerability Management: Continuously scan for vulnerabilities, including those within mainframe environments. Implement automated tools that support code-based and configuration-based scanning, reducing the risk of oversight and improving remediation timelines.
• Business Resilience: Develop disaster recovery and business continuity plans that allow for recovery of critical datasets within hours, not days. This is especially vital for maintaining compliance under DORA, which places strict demands on ICT recovery capabilities.
• Authentication: Enhance access controls with multi-factor authentication across all systems, including those traditionally outside the IAM framework, like mainframes. This mitigates the risk of unauthorized access and supports a zero-trust security model.
• Encryption and Data Privacy: Protect data at rest and in transit with enterprise-grade encryption. Ensure that encryption strategies are consistent across all platforms to support audit readiness and minimize regulatory exposure.
• Incident Response and Recovery: Establish playbooks that detail how your organization responds to specific incident types. Conduct regular simulations and ensure incident reporting workflows meet both PCI DSS and DORA requirements for timeliness and detail.
The Role of Leadership in Cybersecurity
Security is no longer the sole responsibility of IT. Executive leadership, legal, risk, compliance, and operations teams must align a shared understanding of risk. Boards are increasingly holding CISOs and CIOs accountable for demonstrating not just compliance, but organizational readiness. Scenario planning, tabletop exercises, and cross-functional war room strategies are no longer optional; they’re part of the new security standard.
Effective security leadership requires more than managing tools and policies; it demands a cultural shift in which every stakeholder views security as essential to business continuity and growth. The organizations that are best prepared for PCI DSS 4.0 and DORA are those where leadership drives security, rather than delegating and siloing it.
Futureproofing Through Proactive Security
As new regulations emerge and cyber threats continue to evolve, the ability to anticipate, absorb, and recover from disruptions will define an organization’s success. PCI DSS 4.0 and DORA represent an opportunity to modernize, mature, and strengthen enterprise security.
Businesses that act now to align with these standards will reduce risk and avoid penalties, while also positioning themselves for long-term operational excellence. This shift isn’t about replacing what works – it’s about advancing the systems that already support the most critical parts of the business. By enhancing trusted core infrastructure with modern security practices, organizations can build a resilient foundation that meets today’s regulatory demands and are prepared to adapt to tomorrow’s challenges.
