SECTOR · BANKING & FINANCE

Banks, fintechs
and financial services.

European financial sector operates under DORA (Digital Operational Resilience Act), PCI-DSS for cards, EBA Guidelines on ICT Risk Management, MiFID II and local central bank regulations. Itamite covers operational ICT layer: inventory, hardening, immutable audit and auditable remote control your compliance department can demonstrate to the supervisor.

See pricing Banking demo

DORA applies since January 17, 2025

DORA is directly applicable: banks, insurers, funds, asset managers, crypto platforms, market infrastructures and critical ICT providers. Art. 6 requires ICT risk management framework, Art. 9 protection+prevention+detection, Art. 10 detection, Art. 11 response and recovery, Art. 17 incident management with 4h supervisor notification. Without an updated ICT inventory and operational audit system you can't comply with DORA.

PCI-DSS v4.0 applies to any entity processing, storing or transmitting card data: issuing banks, acquirers, merchants, ISVs, gateways. Requirement 2 (hardening configuration), Requirement 6 (patches), Requirement 8 (authentication), Requirement 10 (logs and audit), Requirement 11 (vulnerability scanning) — Itamite covers in-scope endpoints and servers part.

Typical cases: mid-size bank with 5,000 workstations across branches and HQ. Insurer with 1,500 employees and broker network. Fintech with 200 engineers and post-funding DORA requirements. Asset manager with 80 staff and EBA requirements from supervisor.

BANKING USE CASES

What Itamite does for financial entities

ICT inventory for DORA Art. 8

Complete and updated inventory of all ICT assets: hardware, software, dependencies, criticality, location, owner, connections. Itamite generates the "ICT Asset Register" required by DORA with auditable export and change traceability.

PCI-DSS v4.0 Requirement 2 hardening

Pre-configured templates for CIS Benchmarks applied automatically: password policies, disabled services, closed ports, BitLocker/FileVault, EDR antivirus, firewall. Automatic baseline drift detection.

Patch management under SLA

Meets PCI-DSS Req. 6 and DORA Art. 9: critical patches in 30 days, severe in 90 days, normal in 12 months. Itamite automatically reports compliance window. Documented exceptions with CISO-signed justification.

Immutable audit for supervisor

SHA-256 hash-chain impossible to tamper with even by administrators. Every technical action, every remote access, every config change recorded with timestamp and verifiable hash. Ready for supervisor inspections.

Auditable remote access to sensitive environments

Remote sessions to equipment in PCI/CDE zone with optional recording (SHA-256), mandatory MFA, just-in-time authorization, minimum 12-month audit log retention. Meets PCI-DSS Req. 8 and 10.

DORA Art. 17 incident reporting

When a classifiable ICT incident is detected, Itamite provides complete forensic timeline: which endpoints affected, anomalous access patterns, what technical actions were taken. Direct material for 4h supervisor report.

Itamite Finance Program

For Enterprise financial entities: specific setup including DORA + PCI-DSS + EBA Guidelines templates, training to compliance department, annual audit plan with auditor partner support, optional hosting in PCI-DSS Level 1 certified financial datacenter, native SIEM integration (Splunk, QRadar, Sentinel), 24x7 support with financial SLA and prepared supervisor escalation line.

  • Pre-configured DORA Art. 8 ICT Asset Register templates
  • PCI-DSS v4.0 templates (Requirements 2, 6, 8, 10, 11) ready to use
  • Optional hosting in PCI-DSS Level 1 certified datacenter
  • Native SIEM integration (Splunk, QRadar, Microsoft Sentinel, Elastic)
  • 24x7 support with financial SLA (critical incident <15 min)
FAQ

Financial sector questions

Does Itamite cover all of DORA?
Itamite covers DORA's operational ICT layer: Art. 6 (inventory), Art. 8 (asset register), Art. 9 (protection/patches/hardening), Art. 10 (anomaly detection), Art. 17 (forensic for reporting). It doesn't cover non-ICT topics: executive governance, contracts with critical ICT providers, advanced resilience testing (TLPT), Penetration Testing.
Can I use Itamite in PCI environment with CDE?
Yes, Itamite is CDE-compatible. The agent can operate on controlled software list, without outbound Internet traffic (proxy white-list), with mTLS encryption and full audit. PCI-DSS specific documentation available under NDA.
Is Itrion a critical ICT provider under DORA?
Itrion is not currently an ICT third-party service provider (CTPP) declared as such by the Commission. But as ICT services provider, we sign the contract required by DORA Art. 30 with all mandatory clauses: audit right, termination, escalation, exit plan, processing location.
How does it fit with EBA Guidelines on ICT and Security Risk Management?
EBA Guidelines are the basis on which DORA is built. Itamite covers the same points: asset inventory, identity and access, change management, incident management, business continuity for ICT, vendor management. Same templates and reports work for both frameworks.

Ready for DORA inspection or PCI audit

Enterprise demo with pre-configured DORA + PCI + EBA templates. Financial SLA and legal BAA prepared.

See pricing Banking demo