
PCI DSS evidence should build itself. Not scramble before a QSA assessment.
One governed system. PCI DSS, DORA, CRA, SOC 2, and MiCA evidence produced continuously — not assembled under time pressure before every audit cycle.
FinTech compliance teams carry the most multi-framework documentation burden in financial services. PCI DSS Requirement 6.3.2 SBOM is manually assembled pre-assessment. DORA Article 9 ICT supply chain documentation is reconstructed before supervisory review. EU CRA vulnerability disclosure records are a new obligation most compliance teams have not yet operationalized. SOC 2 change control evidence is a spreadsheet. MiCA technical documentation is still being interpreted.
X-DLM™ makes all of it a byproduct of how your engineering team already works — not an emergency before every audit and regulatory cycle.
and
Five active FinTech regulatory frameworks. One governed workflow that produces evidence for all of them.
Active FinTech regulatory frameworks requiring open-source governance evidence: PCI DSS 4.0, EU DORA, EU CRA, SOC 2 Type II, and MiCA. X-DLM™ produces evidence for all five from one governed Black Duck + Polarion workflow.
PCI DSS 4.0 Requirement 6.3.2 — maintain an inventory of all bespoke and custom software containing open-source components. Must be maintained and reviewed at least annually. Black Duck makes it continuous.
EU CRA exploited vulnerability reporting obligation from September 2026: ENISA notification within 24 hours of discovery of an actively exploited vulnerability in a FinTech software product.
EU DORA in force date — not a future deadline. Every FinTech with EU operations has been subject to DORA ICT risk management requirements since January 17, 2025. Evidence must exist now.
Sources: PCI DSS v4.0. EU DORA. EU CRA. SOC 2 TSC 2017. MiCA Regulation (EU) 2023/1114.
Continuous evidence, not pre-audit reconstruction — across every FinTech framework at once.
- 01
PCI DSS 4.0 Req. 6.3.2 SBOM — continuous inventory, not pre-QSA sprint
PCI DSS 4.0 Requirement 6.3.2 mandates a documented inventory of all open-source components in payment applications, reviewed at least annually and updated when changes occur. Black Duck maintains this inventory continuously across source, binaries, and containers. X-DLM™ links every SBOM component to Polarion release records and routes every component change through governed approval workflows. QSA assessors receive a current, auditable inventory — not a pre-assessment reconstruction that doesn't reflect production.
- 02
EU DORA Article 9 ICT supply chain evidence — continuous, not pre-review
DORA Article 9 requires documented identification, classification, and management of ICT risks including third-party software dependencies. Compliance teams must demonstrate ongoing ICT supply chain risk management — not a point-in-time audit response. X-DLM™ routes every Black Duck third-party dependency finding into Polarion with DORA risk classification, ownership assignment, response timelines, and approval history. DORA ICT supply chain evidence exists in Polarion before any EBA, ESMA, or EIOPA supervisory review.
- 03
EU CRA vulnerability disclosure records — 24-hour ENISA reporting readiness
From September 11, 2026, EU CRA requires FinTech software manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours, provide an early warning within 72 hours, and submit a final report within 14 days. Black Duck BDSA advisories flag actively exploited vulnerabilities with exploit evidence. X-DLM™ routes each BDSA advisory flagged as exploited into a Polarion priority workflow with ENISA reporting deadline tracking and timestamped disclosure records — so the 24-hour reporting obligation is a managed process, not a crisis response.
- 04
SOC 2 Type II change control and MiCA technical documentation
SOC 2 Type II Change Management controls require documented change approval, testing, and rollback procedures for production systems handling financial data. Black Duck findings that affect production open-source components trigger change control obligations. X-DLM™ routes every Black Duck-identified change through Polarion change control workflows with approval chain, testing evidence, and rollback documentation. For MiCA-regulated crypto asset service providers, X-DLM™ produces the technical documentation of software governance controls required under Article 30 operational resilience obligations.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.

Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.

Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
Medical device companies answer to more than one framework — simultaneously.
FDA Section 524B is the floor, not the ceiling. IEC 62304, EU MDR, ISO 14971, HIPAA, and NIST SSDF run in parallel — each with its own evidence requirements, its own submission deadline, and its own consequence for missing components.
View FDA 524B, IEC 62304 & All Regulations →Turn software risk evidence into FinTech trust.
Download the brochure or book a discovery call to see how X-DLM™ connects Siemens Polarion and Black Duck for governed software supply chain evidence.