Navigating DORA and why compliance matters

In 2025, compliance is no longer optional. With regulations like GDPR, NIS2, ISO27001, and now DORA, businesses must prioritise cybersecurity and operational resilience. For Managed Service Providers (MSPs), this is both a challenge and an opportunity: those proactively addressing compliance can become indispensable to their clients.

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation ensuring financial institutions can withstand and recover from ICT-related disruptions. In effect from 17^th January 2025, it applies to financial services firms and “Critical ICT Third Party Providers” (CTTPS), including UK-based firms working with EU clients. Even those not formally classified may face compliance demands through contracts.

The framework includes five key pillars:

• ICT risk management
• ICT-related incident management
• Digital operational resilience testing
• Third-party risk management
• Information-sharing and reporting

The growing regulatory landscape

DORA is one of many global compliance requirements reshaping business operations. Organisations are also navigating GDPR, NIS2, and ISO27001 frameworks. With this growing regulatory landscape, seeking expert advice and, in some cases, legal counsel is crucial to compliance.

Understanding DORA’s testing requirements

In a recent webinar with Rootshell Security, we discussed DORA’s digital operational resilience testing, particularly Articles 24-27, which outline structured testing frameworks:

• Article 24 – General testing requirements
• Article 25 – Testing of ICT tools and systems
• Article 26 – Advanced testing (Threat-Led Penetration Testing TLPT)
• Article 27 – Tester qualifications for TLPT

Key questions addressed included:

• Who must comply?
• What systems, processes, and technologies must be tested?
• How frequently should assessments occur?
• Who should conduct cybersecurity evaluations?

For full details, watch our webinar: DORA Compliance Webinar

The role of MSPs in compliance

MSPs play a vital role in helping businesses navigate compliance. Brigantia partners can leverage tools from key vendors like Sendmarc, Hornetsecurity, Heimdal, AuthN by IDEE, and Rootshell to provide security solutions such as advanced threat protection, email security, and data protection, and risk assessments.

Compliance as competitive advantage

Not all MSPs offer compliance-focused services - but those who do will stand out by:

• Staying ahead of regulations – Proactive compliance builds trust and credibility.
• Providing comprehensive security solutions – A full suite of services enhances competitiveness.
• Mitigating risk for clients – Helping businesses comply reduces penalties and security risks.

Next steps for businesses

With DORA now in effect, businesses should:

1. Determine if they fall under DORA’s scope and seek expert guidance.
2. Invest in risk management tools like vulnerability assessments and penetration testing.
3. Strengthen incident response plans to align with regulatory requirements.
4. Monitor third-party risks and ensure resilience clauses are built into contracts.
5. Stay informed on global compliance trends to ensure long-term sustainability.

The bottom line

DORA isn’t just another regulatory hurdle – it's a framework for strengthening financial sector resilience. MSPs prioritising compliance will help clients avoid penalties and establish themselves as trusted security partners in an increasingly regulated world.

To support MSPs in navigating these changes, we are hosting a Compliance Roadshow in March covering key cybersecurity regulations. Register for one of the events here:

London: https://www.brigantia.com/webinars-events/brigantia-compliance-roadshow-london

Birmingham: https://www.brigantia.com/webinars-events/brigantia-compliance-roadshow-midlands

Newcastle: https://www.brigantia.com/webinars-events/brigantia-compliance-roadshow-newcastle