PCI DSS 4.0 · EU DORA · EU CRA · FAPI 2.0 · MiCA · SOC 2 Type II · NIST SSDF

Five frameworks. All active. All requiring evidence simultaneously.

PCI DSS. EU DORA. EU CRA. FAPI 2.0. MiCA. X-DLM™ produces evidence for all of them from one governed Black Duck + Siemens Polarion workflow.

FinTech and regulated payment software companies answer to more active regulatory frameworks simultaneously than any other software sector outside of medical devices. PCI DSS governs payment card data. DORA governs ICT resilience. CRA governs software product security. FAPI 2.0 governs open banking API security. MiCA governs crypto asset services. SOC 2 governs operational controls. None of them share a common evidence format.

X-DLM™ connects Black Duck and Siemens Polarion so evidence for all five builds from the same engineering workflow — continuously, not before each audit cycle.

PCI DSS 4.0

Enforced — March 2024

Requirement 6.3.2 — SBOM for open-source components in payment software

PCI DSS 4.0 Requirement 6.3.2 mandates that organizations maintain a documented inventory of all bespoke and custom software containing open-source components in payment applications. This inventory must be reviewed at least annually and updated when software changes occur. Non-conformity consequence: loss of card processing rights. Black Duck generates a continuous, machine-readable SBOM covering all open-source components in payment software — source, binaries, and containers. X-DLM™ links every SBOM component to Polarion release records and routes every component change through governed approval workflows. Source: PCI DSS v4.0 Requirement 6.3.2.

EU DORA

In force — January 17, 2025

Article 9 — ICT supply chain risk management and third-party dependency documentation

EU DORA (Regulation EU 2022/2554) applies to banks, payment institutions, electronic money institutions, investment firms, crypto asset service providers, and other financial entities with EU operations. Article 9 requires documented ICT risk management processes including identification, classification, and management of ICT third-party dependencies — which includes open-source software in production financial systems. Non-conformity consequence: supervisory action and public naming by EBA, ESMA, or EIOPA. X-DLM™ routes every Black Duck third-party dependency finding into Polarion with DORA risk classification and response timelines — producing continuous Article 9 ICT supply chain evidence. Source: DORA Regulation (EU) 2022/2554, Article 9.

EU CRA

Reporting: September 2026 · Full enforcement: December 2027

Machine-readable SBOM and 24-hour exploited vulnerability reporting

EU CRA (Regulation EU 2024/2847) applies to FinTech software products placed on the EU market as Products with Digital Elements — payment platforms, lending software, crypto wallets, RegTech systems. From September 11, 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours, early warning within 72 hours, final report within 14 days. From December 11, 2027, full product conformity is required — machine-readable SBOM in SPDX or CycloneDX, vulnerability handling processes, and technical documentation. Non-conformity penalty: 2.5 out of 100 of global annual turnover or €15 million plus EU market exclusion. X-DLM™ produces CRA-compliant SBOM and vulnerability disclosure records continuously. Source: EU CRA Regulation (EU) 2024/2847, Articles 13–14, 52.

FAPI 2.0 + Open Banking

Ongoing — Open Banking Canada, UK FCA, EU PSD2 / PSD3

Financial-grade API security and open-source dependency governance for open banking

FAPI 2.0 (Financial-grade API Security Profile) governs API security for open banking platforms across the UK, EU, Canada, and Australia. Open-source OAuth libraries, JWT implementations, and API gateway dependencies are required to implement FAPI 2.0 specifications correctly — and known vulnerabilities in these libraries create direct open banking API security risks. Black Duck identifies open-source dependencies with FAPI 2.0-relevant vulnerabilities and license implications. X-DLM™ governs remediation in Polarion with traceability to FAPI 2.0 specification requirements. Source: FAPI 2.0 Security Profile, Open Banking Canada Standards.

MiCA

In force — December 30, 2024

Article 30 — Operational resilience and ICT security for crypto asset service providers

MiCA (Markets in Crypto-Assets Regulation EU 2023/1114) applies to crypto asset service providers, crypto asset issuers, and electronic money token issuers operating in the EU. Article 30 requires documented operational resilience measures including ICT security policies, incident response, and business continuity plans. MiCA CASP authorization requires demonstrated technical documentation of software security controls. Black Duck governance of open-source dependencies in crypto infrastructure, wallet software, and DeFi integrations produces the technical security evidence MiCA Article 30 requires. X-DLM™ routes findings into Polarion with MiCA classification and approval records. Source: MiCA Regulation (EU) 2023/1114, Article 30.

X-DLM™ evidence mapping for FinTech: PCI DSS 4.0 Req. 6.3.2 — continuous SBOM in Polarion. DORA Article 9 — ICT supply chain risk documentation with ownership and response timelines. EU CRA — machine-readable SBOM in SPDX/CycloneDX + exploited vulnerability disclosure records with ENISA timeline tracking. FAPI 2.0 — open banking API dependency governance with specification traceability. MiCA — ICT security technical documentation for CASP authorization. All from the same Black Duck + Siemens Polarion + X-DLM™ workflow.