Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
In January 2025, the European Union’s new Digital Operational Resilience Act (DORA) came into effect. If you’re an MSP and you have clients in the financial services sector, they will likely be turning to you for help with DORA compliance
So, where should you begin? In this article, we provide some pointers for MSPs operating in the EU whose clients might be affected by DORA. Read on to learn:
- What DORA is
- What DORA means for your own MSP business
- How to help financial services (FS) clients comply with DORA
What is DORA?
The Digital Operations Resilience Act (full text here) is a piece of EU regulation that applies to financial services entities that operate within the bloc.
The purpose of DORA is to improve the cybersecurity resilience of the entire financial system in Europe by reducing the risk of breaches and disruption. It does this by requiring entities to:
- Implement advanced risk management policies
- Swiftly report any cybersecurity incidents to the relevant authorities
- Conduct regular digital operations resilience testing
- Monitor third-party Information and Communications Technology (ICT) suppliers for risk
- Share cyber risk intelligence with the authorities and the wider financial services industry
DORA is broad. It covers companies of all sizes and most kinds of financial services:
- Major Banks
- Credit Institutions
- Insurers
- Brokers
- Fintech Startups
- Financial advisors, etc.
Critically, DORA also applies to these companies’ IT providers. This means hardware, software and cloud services companies are affected. Managed Service Providers (MSPs) are also on the list. If you offer services to finance businesses in Europe, you will likely need to comply with DORA.
What DORA means for your MSP business
In a recent online Q&A, Heimdal’s Jacob Hazelbaker described a common scenario facing MSPs when new regulations such as DORA come in.
An MSP’s client will typically email them in a panic, saying:
Hey, suddenly we’re required to have patching’, or ‘We’re required to have ransomware encryption protection, and we got to have it as soon as possible. You’re our MSP, please help us out.
DORA definitely isn’t ‘new’ – your FS customers have had at least a couple of years to make sure they’re compliant. But as anyone who’s ever worked at an MSP knows, clients sometimes wait until the last minute before acting – and calling you for help.
So, what does this mean for you and how can you help clients comply with DORA?
Work out how DORA affects you
Before your MSP business can even begin helping your clients comply with DORA, you need to understand how it affects your own company.
As mentioned above, if you offer any kind of third-party ICT service to an FS business in Europe, then it’s extremely likely you’ll be affected by DORA too. You therefore need to familiarize yourself with the regulation and ensure you comply.
As an MSP, you should already be following good standards of security. But it’s worth triple checking everything:
- Make sure you’re not the weak link: You need defense in depth, zero trust policies, automated patch management, regular threat hunting and other advanced security in place.
- Have a policy for reporting breaches: If you do ever get breached, you need a plan for how you’ll respond and report on the incident. Reporting should be a part of your incident response plan.
- Review and (potentially) renegotiate client contracts: It will be worth reviewing your contracts with FS clients to clarify what services you offer and their limits, and clearly state responsibilities and expectations with regards to DORA compliance.
- Assess the risk of servicing this sector: If you have very few FS clients, or if you don’t feel confident in your capacity to support them with DORA compliance, it’s sensible to assess the risk of continuing to serve this sector. For most MSPs, it surely will be. But it’s always worth asking if you’re taking on unnecessary risk by working with this highly regulated industry.
Related: What’s the difference between an MSP and an MSSP?
Learn how to help FS clients comply with DORA
Every FS firm is different, and the way DORA impacts them is likely to be unique. Many companies will already have high security standards and so the changes they need to make will be minor (this is, after all, a sector that’s a major target for cyber criminals). But others will need more support and handholding to achieve DORA compliance.
Here are some ways your MSP can help.
Anticipate your clients’ needs
In Heimdal’s recent Q&A, Jacob said:
one piece of advice I would give to an MSP in regard to their compliance strategy is simply prepare for the future, not only for what you know is ahead, but what you think possibly could happen.
As DORA comes into effect, MSPs should be looking for potential risks facing their FS clients and developing solutions. This can take on a variety of forms, including:
- Providing training around DORA compliance
- Creating DORA compliance checklists
- Offering DORA compliance audits
Offer DORA compliance gap analysis
A DORA compliance gap analysis will help identify any potential weaknesses or areas your FS clients may be non-compliant. This will identify possible issues and reduce the risk of your client getting penalized.
Even if they do get breached, being able to demonstrate that they’ve conducted a gap analysis will show auditors they have made efforts to begin complying. That could reduce the size of the penalties they face.
Add-on services that support compliance
Some FS firms will need additional support to achieve compliance with DORA. This represents a real opportunity for MSPs to add value with new services. These may include:
- Compliance reporting solutions
- Penetration testing and threat hunting
- Upgrading access management
- Enhancing endpoint security
- Rolling out encryption technologies
- Automated Patch and asset management
Suggested: What is the best MSP software?
Keep communicating with clients
It’s super important to keep communicating with your clients about DORA compliance, about any potential risks you’ve identified, and how they can be addressed.
There are a couple of reasons for doing this.
First, it’s just good practice – as an MSP, your business should be working to help clients reduce their risk and be safe.
But there’s also a more hard-nosed reason. If you have provided regular, written advice about what clients need to do to comply with DORA, this gives you a defence should they ever be breached.
DORA brings MSPs and other IT suppliers into the sights of regulators. The reality is that any company who’s facing a fine for non-compliance might look to pass the blame onto their suppliers. If they can claim you failed to provide adequate guidance, you could end up taking the fall.
Talking to Heimdal in a recent webinar, compliance expert Larisa Mihai explained why you should put all correspondence and advice into email:
If you provide services for a company and they are being breached because they didn’t take your advice, as long as you can prove that you provided the advice, you are safe.
A unified cybersecurity platform for MSPs
Heimdal’s unified cybersecurity platform is designed to help your MSP business support financial services customers with their DORA compliance needs.
This solution comes preloaded with compliance reporting tools that you can run on various systems. These tools can then monitor entire environments, and automatically produce reports that demonstrate compliance with regulations such as DORA.
Heimdal’s platform approach also means you have access to a single, centralised dashboard where you can monitor all your customers’ environments, conduct gap analysis and identify any potential breaches in time. As an MSP you can then add-on further security tools to enhance your service offering for your clients.
For example, if you have an FS client who realises they also need encryption protection to comply with DORA, our modular XDR platform allows you to add on tools at the click of a button. Rather than having to go to market to find a suitable tool, our unified platform approach means you can find all you need in one place.
Want to see how our unified platform can help your MSP support financial services clients with DORA compliance? Contact us today for a demo.
Frequently asked questions about DORA compliance
We answer your FAQs about what DORA means for MSPs.
Does DORA affect my MSP?
If you provide IT support to any financial services business that is based in (or operates within) the EU, then your MSP is likely to be affected by DORA. You will need to assess your own compliance with the regulation and may need to advise clients on how they can comply.
Why does DORA apply to MSPs?
MSPs often provide vital technology advice, software and IT management to financial services businesses. The DORA regulation recognises the fact that cybersecurity breaches can often begin inside the IT ‘supply chain’. These supply chain businesses must therefore also meet the same security standards as FS firms.
For example, imagine a hacker guessing the password of an employee at an MSP that supplies IT services to a bank. From that single supply chain failure, the bank would be breached, losing them millions – despite the fact that its own staff had followed good security practice.
Are all third-party IT suppliers viewed the same under DORA?
No. DORA designates some IT providers as ‘critical’, while others are ‘non-critical’. A breach in a critical supplier’s systems could cause enormous damage to the financial system. For example, if Bloomberg terminals were breached, it could cause havoc across the world. Non-critical IT service providers may include custom app developers, software license resellers, and many MSPs.
