PCI DSS 4.0 · EU DORA · EU CRA · FAPI 2.0 · MiCA · SOC 2 Type II · NIST SSDF
Five frameworks. All active. All requiring evidence simultaneously.
PCI DSS. EU DORA. EU CRA. FAPI 2.0. MiCA. X-DLM™ produces evidence for all of them from one governed Black Duck + Siemens Polarion workflow.
FinTech and regulated payment software companies answer to more active regulatory frameworks simultaneously than any other software sector outside of medical devices. PCI DSS governs payment card data. DORA governs ICT resilience. CRA governs software product security. FAPI 2.0 governs open banking API security. MiCA governs crypto asset services. SOC 2 governs operational controls. None of them share a common evidence format.
X-DLM™ connects Black Duck and Siemens Polarion so evidence for all five builds from the same engineering workflow — continuously, not before each audit cycle.
PCI DSS 4.0
Enforced — March 2024Requirement 6.3.2 — SBOM for open-source components in payment software
PCI DSS 4.0 Requirement 6.3.2 mandates that organizations maintain a documented inventory of all bespoke and custom software containing open-source components in payment applications. This inventory must be reviewed at least annually and updated when software changes occur. Non-conformity consequence: loss of card processing rights. Black Duck generates a continuous, machine-readable SBOM covering all open-source components in payment software — source, binaries, and containers. X-DLM™ links every SBOM component to Polarion release records and routes every component change through governed approval workflows. Source: PCI DSS v4.0 Requirement 6.3.2.
EU DORA
In force — January 17, 2025Article 9 — ICT supply chain risk management and third-party dependency documentation
EU DORA (Regulation EU 2022/2554) applies to banks, payment institutions, electronic money institutions, investment firms, crypto asset service providers, and other financial entities with EU operations. Article 9 requires documented ICT risk management processes including identification, classification, and management of ICT third-party dependencies — which includes open-source software in production financial systems. Non-conformity consequence: supervisory action and public naming by EBA, ESMA, or EIOPA. X-DLM™ routes every Black Duck third-party dependency finding into Polarion with DORA risk classification and response timelines — producing continuous Article 9 ICT supply chain evidence. Source: DORA Regulation (EU) 2022/2554, Article 9.
EU CRA
Reporting: September 2026 · Full enforcement: December 2027Machine-readable SBOM and 24-hour exploited vulnerability reporting
EU CRA (Regulation EU 2024/2847) applies to FinTech software products placed on the EU market as Products with Digital Elements — payment platforms, lending software, crypto wallets, RegTech systems. From September 11, 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours, early warning within 72 hours, final report within 14 days. From December 11, 2027, full product conformity is required — machine-readable SBOM in SPDX or CycloneDX, vulnerability handling processes, and technical documentation. Non-conformity penalty: 2.5 out of 100 of global annual turnover or €15 million plus EU market exclusion. X-DLM™ produces CRA-compliant SBOM and vulnerability disclosure records continuously. Source: EU CRA Regulation (EU) 2024/2847, Articles 13–14, 52.
FAPI 2.0 + Open Banking
Ongoing — Open Banking Canada, UK FCA, EU PSD2 / PSD3Financial-grade API security and open-source dependency governance for open banking
FAPI 2.0 (Financial-grade API Security Profile) governs API security for open banking platforms across the UK, EU, Canada, and Australia. Open-source OAuth libraries, JWT implementations, and API gateway dependencies are required to implement FAPI 2.0 specifications correctly — and known vulnerabilities in these libraries create direct open banking API security risks. Black Duck identifies open-source dependencies with FAPI 2.0-relevant vulnerabilities and license implications. X-DLM™ governs remediation in Polarion with traceability to FAPI 2.0 specification requirements. Source: FAPI 2.0 Security Profile, Open Banking Canada Standards.
MiCA
In force — December 30, 2024Article 30 — Operational resilience and ICT security for crypto asset service providers
MiCA (Markets in Crypto-Assets Regulation EU 2023/1114) applies to crypto asset service providers, crypto asset issuers, and electronic money token issuers operating in the EU. Article 30 requires documented operational resilience measures including ICT security policies, incident response, and business continuity plans. MiCA CASP authorization requires demonstrated technical documentation of software security controls. Black Duck governance of open-source dependencies in crypto infrastructure, wallet software, and DeFi integrations produces the technical security evidence MiCA Article 30 requires. X-DLM™ routes findings into Polarion with MiCA classification and approval records. Source: MiCA Regulation (EU) 2023/1114, Article 30.