NIS2 and DORA when the company's heart is an IBM i (aka "AS400")
The regulations never name the platform, but the requirements apply — above all — to the system running your ERP, production and invoicing. Good news: IBM i already ships with almost everything you need. Bad news: it must be configured, documented and tested. Here's the checklist.
Why the ERP is in scope
NIS2 covers essential and important entities (manufacturing, logistics, food, chemicals are in), DORA covers finance. Both demand the same substance: risk management, strong authentication, demonstrable business continuity, vulnerability and incident management.
The IBM i system is almost always the company's most critical asset — and paradoxically the least covered by security initiatives, which focus on Windows and cloud. A serious audit starts right there.
The operational checklist
- MFA on privileged access — with IBM i 7.6 it's native in the OS, QSECOFR included. Earlier releases need external tools: one more reason to upgrade.
- Immutable, isolated backup — the 3-2-1-1-0: one copy no compromised credential can encrypt or delete (Safeguarded Copy on IBM Storage, or an external vault).
- Documented restore tests — NIS2 and DORA don't ask you to have backups: they ask you to prove restores work, with measured times. At least 2-4 tests a year, with reports.
- PTFs and vulnerabilities under control — planned security-PTF alignment (we do it quarterly) and a CVE inventory of the estate, HMC and firmware included.
- Segregation and audit journal — least-privilege profiles, guarded exit points, an active and retained audit journal: the evidence inspectors ask for.
- A continuity plan with written RTO/RPO — local high availability (PowerHA or Db2 Mirror), geographic DR and proof the promised numbers are real.
- Monitoring and alerting — who notices a problem at 3 AM? You need a watch (internal or an external NOC) with defined thresholds and escalation.
The most common mistake
Treating compliance as a documentation project. Binders don't stop ransomware: the right sequence is fixing the technical substance (MFA, immutable copies, tests) and generating evidence as a by-product of operations. It's the approach we use with Yocto Vision: monthly reports that already are compliance documentation.
Where to start
With an honest picture: our Free Assessment photographs versions, PTFs, exposure, backup and continuity of your IBM i/Power environment and maps it against NIS2/DORA requirements. Half a day, zero commitment, and you know exactly where you stand.