For Managed Service Providers (MSPs) in the EU, who serve financial organizations, DORA regulatory compliance is a hot topic. The DORA (Digital Operational Resilience Act) is a new regulation that came into force on Jan 17th, 2025, aimed at ensuring the operational resilience of financial entities in the EU, focusing on technology risk management and minimizing disruptions in critical services.

MSPs serving EU financial institutions need to be mindful of DORA as non-compliance could result in penalties and reputational damage. Moreover, since DORA mandates robust monitoring, testing, and reporting processes, and that financial organizations also need to verify that their third-party suppliers are DORA compliant, MSPs serving this sector will be required to demonstrate adherence to this regulation to existing customers and future growth prospects.

The opportunities DORA presents for MSPs

Whilst DORA introduces increased overhead and risk for many MSPs, it also presents opportunities for modern MSPs who get ahead of the market and automate the components necessary to achieve compliance.

By adopting Artificial Intelligence for IT Operations (AIOps) for real-time monitoring and automation in reporting, MSPs can not only ensure compliance with DORA but also reduce manual intervention, optimize their operational costs, and improve service reliability. Moreover, by choosing the correct set of monitoring and observability features, MSPs will be able to automatically produce reports and tangible evidence of DORA compliance that EU financial entities are now required to seek when choosing an MSP.

Meeting DORA’s stringent formalized standards is likely to give those MSPs who embrace DORA’s ethos a competitive advantage, as financial institutions look for reliable, secure and more sustainable providers who can demonstrate compliance with the minimum of fuss. Beyond this, steps MSPs can take to achieve turnkey / by-process adherence to DORA are often the same measures that will improve general efficiency and quality of their services to attract wider business and increased growth.

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation focused on strengthening the operational resilience of financial entities by managing ICT risks, ensuring incident reporting, testing, and third-party risk oversight.

We’ve already written a detailed article covering DORA in some depth, including links to the original regulations and several third-party articles designed to guide you through the basics of DORA from a number of perspectives. See: What is the Digital Operational Resilience Act (DORA)? Everything you need to know about DORA compliance. | eG Innovations. This overview highlights just how much of the regulation pertains to proactive monitoring and anomaly detection.

What are the 5 core pillars of DORA?

There are 5 main pillars (principles / tenens) to the DORA regulations, namely:

  1. ICT Risk Management: Financial entities must implement comprehensive frameworks to manage and mitigate risks related to Information and Communication Technology (ICT).
  2. Incident Reporting: Organizations are required to report major ICT incidents to competent authorities within specific timeframes to ensure transparency and swift action.
  3. Digital Operational Resilience Testing: Regular, thorough testing of ICT systems to identify vulnerabilities and ensure operational continuity during disruptions.
  4. Third-Party Risk Management: Ensuring that third-party service providers meet stringent operational resilience standards and mitigate any risks posed by external vendors.
  5. Information Sharing: Encouraging collaboration and information exchange among financial entities, regulators, and other stakeholders to enhance collective resilience against cyber threats and incidents.

An infographic of 5 pillars that underpin DORA - ICT risk management, ICT Incident management, Digital operational resilience testing, ICT third-party risk management and Information / intelligence sharing.

What does this mean for MSPs?

DORA aims to ensure that financial entities are capable of withstanding, responding to, and recovering from disruptions and threats to their Information and Communication Technology (ICT) systems. The regulation extends beyond banks, insurers, and investment firms to include their third-party ICT service providers, and including MSPs. If you are an MSP who delivers IT services to financial organizations within the EU, your operations almost certainly will fall under its remit. Importantly, it is the location of the customer within the EU that dictates DORA’s reach and so the regulation will also apply to MSPs located in the USA, UK and elsewhere providing ICT services to European financial entities.

DORA has been deliberately designed to have a ripple and trickledown effect. In the same way that EU financial organizations are required to verify that you have processes and tools in place to comply, you in turn will be obligated to ensure that your own third-party ICT suppliers also comply.

How can MSPs show financial customers that they are DORA-ready and choose monitoring tooling that is fit for DORA?

Framework standards

images of SOC2 type 2 and ISO 27001 badgesRecognized international frameworks such as SOC 2 Type audits and ISO/IEC 27001:2022 certification can go a long way to demonstrating to your customers that you are prepared for DORA compliance. These are amongst some of the validation frameworks we’ve adopted ourselves at eG Innovations, see: Information Security and Compliance | eG Innovations for details. When choosing your own suppliers for monitoring or management tooling, selecting vendors and products with these types of certifications can help you demonstrate to your customers that you are doing due diligence validating your own third-party supply chain.

SOC 2 Type audits and ISO/IEC 27001:2022 certifications alone do not mean that an organization is DORA compliant but an organization with them in place is much better placed to be compliant. Some details on the nuances of this can be found on many third-party sites, such as:

Cloud partner validation

If you are delivering your MSP services on a public cloud, joining and participating in that public cloud provider’s MSP validation program is advisable. The large public cloud providers have incorporated a wealth of best practices into such programs. By participating in these schemes, you can demonstrate you meet those standards and can provide demonstrable proof of good practice. For example, the AWS Managed Service Provider (MSP) Program includes certification via the AWS MSP Validation Checklist (a third-party overview of this is available, see: AWS MSP Checklist: The Comprehensive Guide). Since DORA emphasizes the importance of partnerships, collaboration and information sharing, tangible evidence of participation in formal vendor partner programs will help you become compliant.

When choosing your own suppliers, you will want to verify that if a supplier is delivering functionality or software as SaaS (functionality such as monitoring) using a public cloud, that they also have participated in relevant cloud vendor validation programs. For example, our own SaaS turnkey monitoring delivered on AWS has been validated as “AWS Well-Architected” and we participate in other AWS certification programs such as the “AWS Digital Workplace Competency”. For details of what this means, see:

Images of AWS partner badges

How can eG Enterprise help MSPs gain competitive advantage by adopting the 5 core pillars of DORA?

eG Enterprise enables MSPs to meet their obligations by providing a comprehensive AIOps-driven monitoring solution that offers real-time visibility into all your critical systems and applications across hybrid and multi-cloud environments. This allows MSPs to proactively detect and resolve performance issues before they disrupt services, minimizing downtime whilst ensuring continuous service delivery.

The platform’s AIOps monitoring capabilities also support event correlation, anomaly detection and predictive analytics, identifying potential vulnerabilities and threats before they escalate, which is a key component of DORA’s resilience testing. Additionally, eG Enterprise automates incident reporting and compliance documentation, streamlining the process for MSPs and reducing manual overhead. This automation not only ensures compliance but also lowers operational costs.

Banner to a Solution Brief on becoming a modern MSP

As a fully multi-tenant monitoring solution, MSPs using eG Enterprise can deliver enhanced service reliability, demonstrate DORA compliance to individual financial clients, making them more attractive to organizations in regulated sectors. Per tenant / customer monitoring and reporting makes demonstrating compliance to individual customers simple. In turn, this can lead to increased customer trust, expanded business opportunities, and a strong competitive position in the marketplace. To learn more about our features for MSPs leveraging multi-tenancy, see: Multi-Tenant MSP Monitoring | eG Innovations and What is multi-tenancy? Multi-tenancy for MSPs Explained. | eG Innovations.

Let’s now consider how a fully featured AIOps monitoring tool such as eG Enterprise will automate and help compliance with the specific requirements placed by DORA on MSPs.

Pillar 1: How AIOps-powered monitoring helps you build a DORA-compliant “ICT Risk Management” strategy

DORA is all about “doing things properly” and “by process”, you need to plan a strategy and implement tools and processes that:

  • Automate and remove human-error and oversight to detect threats and ICT issues.
  • Are futureproof. As an MSP you will need to adapt to handle unknown risks and changing / new customer needs.
  • Are flexible. As an MSP your business relies on you adopting new technologies demanded by customers, you also need to avoid vendor and tech lock-in to ensure your business remains cost-effective. You probably don’t want to lock your DORA processes to a single cloud provider and their native monitoring, especially if you have a “Cloud Exit” strategy (see: The Importance of a Cloud Exit Strategy: What It Is, Who Needs It, and How to Plan It | eG Innovations for information on why many have such a strategy) within your risk mitigation plans.
  • Automate documentation and reporting. Demonstrating DORA compliance is now essential for you to retain and attract new customers. Tools that automate and self-document your systems are vital. AIOps auto-discover and deploy features coupled with universal agent technologies ensure that the monitoring platform always covers your entire end-to-end service and application delivery, even if those systems are dynamic, ephemeral or auto-scaling such as Kubernetes or cloud. Rich topology maps self-document your systems and their dependencies in a format consumable to your customers. More on these capabilities later in this article.

Screenshot of a topology map generated within eG Enterprise showing the interdependencies between applications and infrastructure components

Figure 1: AIOps auto-discovery means eG Enterprise give you rich service topology maps highlighting how each tier is performing. Color codes guide you to the root cause. Manually maintaining and mapping dependencies is impractical and prone to human error.

The eG Enterprise platform provides AIOps-powered monitoring, an approach that helps build a DORA-compliant ICT risk management strategy by leveraging artificial intelligence and automation to enhance visibility, detection, and response capabilities. Here are some of the benefits of an AIOps-enabled observability tool above traditional monitoring tools:

  • Proactive Risk Detection: AIOps benchmarks and baselines your real systems and applications and then identifies anomalies and potential vulnerabilities in those ICT systems before they escalate into critical issues, enabling financial entities to address risks proactively as required by DORA. Indeed, “proactive anomaly detection” is mandated within DORA regulation.
  • Auto-detection and auto-deploy: Built in AIOps intelligence coupled with domain-aware layer models and universal agent technologies allow the AIOps engine to discover and understand the relationships between the components of your ICT systems, even within auto-scaling systems. Your monitoring must scale alongside your systems without human effort.
  • Real-Time Monitoring: Continuous real-time and real-user monitoring and out-of-the-box alerting ensures the immediate detection of performance degradations, security threats, or disruptions, aligning with DORA’s focus on operational resilience. Manually setting metric thresholds and alerting is no longer good enough.
  • Automated Root Cause Analysis: AIOps accelerates incident resolution by pinpointing the root cause of issues automatically, reducing downtime and ensuring business continuity.
  • Predictive Analytics: Machine learning models in AIOps analyze historical and real-time data to predict potential failures or resource shortages, allowing organizations to strengthen their ICT systems. Avoiding issues is a key tenet of DORA.
  • Incident Reporting and Compliance: eG Enterprise automates incident reporting and documentation, ensuring adherence to DORA’s reporting timelines and regulatory requirements.
  • Efficient Testing and Validation: Regular automated performance and resilience testing with synthetic monitoring features (simulated workloads or users) ensures systems are robust and compliant with operational resilience standards. Moreover, these repeatable tests allow you to set KPIs and test that systems are operational even when there are no real users using systems. The AIOps engine within eG Enterprise can detect small and subtle anomalies in these synthetic tests to preemptively detect issues well before any real services or users are impacted – a basic goal of DORA.

graphic showing some of eG Enterprise's AIOps monitoring and reporting features - auto-baselining, auto-correction, auto-deploy, auto-discover etc

By automating and optimizing risk management processes, AIOps helps financial institutions meet DORA requirements while improving efficiency and reducing operational costs.

Pillar 2: How MSPs can demonstrate readiness to comply with DORA’s “Incident Reporting” requirements

Organizations are required by DORA to report major ICT incidents to competent authorities within specific timeframes to ensure transparency and swift action. eG Enterprise includes many features that will help you automatically gather the required information if you or your customers experience a notifiable incident.

  • ITSM Integrations: eG Enterprise integrates with numerous ITSM and support systems – moreover it can integrate with multiple different systems and on a per-tenant basis. So, if you have a customer using ServiceNow you can integrate eG Enterprise alerts with the ticket tracking system of their choice, whilst another customer may prefer Autotask or Freshdesk etc.
  • Cost effective long-term Data Retention: Organizations seeking to demonstrate DORA compliance will need to retain data beyond the default retention times of native cloud monitoring tools and similar. This can be very expensive. eG Enterprise offers cost-effective data retention.
  • External oversight with failover capabilities: If, as an MSP, you are using cloud or third-party datacenters or services to deliver services to your customers, you will want to have visibility on incidents such as cloud outages rather than rely on native cloud tools that may be affected by outages. Using a truly agnostic independent monitoring solution gives you this visibility. Further, eG Enterprise is designed to protect and preserve data even during IT failures. Learn more about monitoring cloud outages and your cloud provider’s service levels, see: How to Protect your IT Ops from Cloud Outages.
  • Built-in failover and resilience features: Monitoring solutions (especially cloud-based SaaS solutions) vary in their failover and resilience features. Learn how we ensure resilience and can demonstrate we are adhering to the key tenens of DORA ourselves, see: How to Protect your IT Ops from Cloud Outages.
  • Advanced auditing capabilities: Details of our extensive built-in audit reports are available, see: Auditing Capabilities in IT Monitoring Tools | eG Innovations.

screenshot showing where to find the audit features in the eG Enterprise console (under the admin tab)

Figure 2: If you are already using eG Enterprise and have the appropriate administrator privileges, auditing will be accessible via the “Admin” tab of the main eG Enterprise console. Click on “Audits” to see the range of audit reports available.
  • Extensive reporting capabilities: Built in reports that can be customized plus a rich-GUI report builder (no query language required!) allows you to schedule and automate reporting as well as have access to live and historical reports whenever needed.
  • Configuration & Change Tracking: Newton’s first law states an object remains in steady motion unless acted on by a force; similarly, IT systems remain stable unless a change disrupts them. Tracking configurations and changes is an important feature for monitoring tools and helps ensure rapid root-cause diagnostics by pinpointing the ‘force’ that caused the issue when that force is an internal IT change. See: Configuration Management & Change Tracking for Observability for details.
  • Highly granular RBAC (Role Based Access Control): Whilst DORA puts a heavy focus on information sharing, managing services and infrastructure for your customers means you need to ensure that access to data about those services is controlled. eG Enterprise is built with highly granular audited access controls down to per user and even per command level. See: Role-Based Access Control in eG Enterprise | eG Innovations for some details.

Pillar 3: Digital Operational Resilience Testing

DORA requires organizations to proactively test and seek out issues. Additionally, as an MSP, your customers will need to seek evidence from you that systematic and appropriate testing is in place. In the event of an ICT incident, you may well be called on to demonstrate that adequate and realistic testing was in place.

eG Enterprise includes an extensive suite of synthetic monitoring capabilities. Synthetic monitoring involves simulating user interactions with an application or system. These tests mimic typical user actions, such as logging in, searching, or completing a transaction, and are run from various geographic locations or within the infrastructure. Synthetic tests are executed periodically, even when no real users are active, to identify performance issues, availability problems, or functional errors.

eG Enterprise includes a wide range of synthetic monitoring capabilities that cater to several use cases:

  • Protocol simulation: This is ideal for simple simulation of protocol requests (HTTP, SMTP, ICA, SQL etc.) to target systems and applications, and observing their responses.
  • Web app simulation: To support multiple step transactions that include form-fills, mouse clicks, etc., eG Enterprise includes a web app transaction recording and replay tool.
  • Purpose-built logon simulators: eG Enterprise embeds purpose-built simulators for digital workspace environments (Citrix, VMware Horizon, Amazon WorkSpaces, etc.) that simulate user logons without the need for a separate recording step.
  • Full, client session simulation: Ideal for simulating multi-step transactions to any type of application – thin client or thick client, this uses a simulation engine that works based on optical character recognition technology.

In all cases, application and transaction availability and response times are the key metrics of interest.

How synthetic monitoring helps meet the demands of the 3rd pillar of DORA (Digital Operational Resilience Testing):

  • Continuous Resilience Validation: Synthetic monitoring ensures systems are constantly tested for availability, response times, and reliability, aligning with DORA’s requirement for regular resilience testing. this can be a powerful methodology for MSPs preparing for DORA.
  • Proactive Problem Detection: By identifying performance bottlenecks and errors before real users are affected, synthetic monitoring prevents disruptions and ensures smooth operations. Note: synthetic monitoring is only one component needed for true proactive monitoring (for details of why, see What is Proactive Monitoring and Why it is Important).
  • Incident Readiness: Simulated testing under different scenarios (e.g., when a server is offline in maintenance) validates the system’s ability to handle failures, supporting readiness for ICT disruptions.
  • Compliance Reporting: Synthetic monitoring generates detailed logs and performance data, helping ICT suppliers document their resilience efforts to meet DORA’s compliance standards. In an enterprise class product such as eG Enterprise this means you get customer-ready reporting analysis out-of-the-box, which can be scheduled regularly as required by DORA. For MSPs operating multi-tenanted environments per-customer reporting is supported.

Image showing a screenshot of a synthetic test on a web app where a step (payment) has failed - the color-coding indicated the failed step and a cmaera icon shows a screenshot of the step is available. Testing like this is useful for MSPs preparing for DORA

Figure 3: Synthetic monitoring can simulate real user workflows

A report on the results of a synthetic test over a protracted time period - automated testing and reporting helps MSPS show they are meeting the operational testing requirements DORA creates for MSPs

Figure 4: All your synthetic monitoring reports are available for both live and historical data. These can be automatically scheduled, archived, published, emailed in a variety of formats including pdf and html via a friendly GUI – no query languages involved!

By incorporating synthetic monitoring MSPs will be able to validate their systems’ operational resilience effectively, ensuring continuity in the face of potential disruptions.

Pillar 4: Opportunities for MSPs from DORA’s “Third-Party Risk Management” requirements

If you are an MSP supplying financial organizations in the EU, your customers will now need you to demonstrate your compliance. Moreover, you in turn will have to demonstrate the vendors and suppliers you use also adhere to the standards.

You can demonstrate due diligence with eG Innovations and eG Enterprise for proactive monitoring:

  • Proven and trusted vendor: eG Innovations has over two decades of experience delivering monitoring capabilities to sectors such as government and finance. 1000s of customers have trusted us worldwide.
  • Certified and verified solution: We publish details of frameworks and certification programs we participate in: Information Security and Compliance | eG Innovations.
  • Full 24×7 enterprise support: Unlike most freeware and open-source monitoring solutions, eG Enterprise provides a range of enterprise support options and can take full contractual responsibility for ensuring you have functioning proactive monitoring in place required by DORA. Freeware and open-source monitoring is particularly troublesome for DORA compliance as using a third-party who has no contractual obligation to fix things in the event of a disruption presents challenges.
  • Hardened AIOps capabilities: There is a lot of detail within DORA about the need for organizations to have continuous anomaly detection in place. Only tools with AIOps-like capabilities can deliver such functionality.
  • European and worldwide offices: eG Innovations is a global company, we have 12 physical offices worldwide and offer local support with local languages in many regions including the EU. Our European staff have proven experience of supporting MSP partners and financial customers and helping them meet their regulatory obligations in the EU. You might like to read about our work in the BeNeLux and German regions!

Banner to contact page to contact us about eG Innovations MSP partner program

Pillar 5: Opportunities for MSPs from DORA’s “Information Sharing” requirements

Generating the reports and evidence your customers need for their DORA strategies becomes easy with eG Enterprise. You can get ahead of your competitors by providing customers with insightful, regular reports and detailed data breakdowns. Reporting usability features such as “Report Booklets” provide a way in which reports can be scheduled, collated, and emailed to individual organizations or people as a single PDF bespoke to their role and needs. A single PDF allows users to avoid the burden of managing and opening multiple files. See: How to Save the Generated Reports to a Booklet?. It is enterprise-grade features such as this that many other monitoring solutions lack.

Figure 5: eG Enterprise includes a wealth of built-in reports suitable for inclusion in compliance reports.

We’ve some information on auditing functionality you are likely to need to use to produce regular audits and audit reports automatically as part of the information you share, see: Auditing Capabilities in IT Monitoring Tools | eG Innovations.

Some details on the requirements DORA will place around incident reporting to regulatory authorities are covered in: Register of Commission Documents – C(2024)6901.

DORA is invariably going to mean increased scrutiny of MSPs by financial entities. More processes and tooling are being put in place to react to the first signs of potential issues. This means false alerts are a potential liability, with the potential to cost businesses time and effort investigating as per real incidents. AIOps systems are built to minimize false alerts and alarm storms. Beyond this, eG Enterprise recognizes that planned downtime and scheduled maintenance is an important part of an MSP business. eG Enterprise has a wealth of features built in to ensure communication and information sharing will be automated, so maintenance will not provoke DORA-induced panic with your customers, see: Managing Monitoring and Alerting during IT Maintenance |.

How MSPs can leverage eG Enterprise to exploit the opportunities around DORA compliance

For MSPs partnering with eG Innovations, DORA presents an excellent opportunity to deliver value-added services and differentiate themselves in a competitive market. By white-labeling eG Enterprise, MSPs can offer tailored solutions that align with DORA’s requirements, positioning themselves as trusted partners in the financial sector.

With eG Enterprise, MSPs can, for example, provide continuous synthetic resilience testing to validate ICT system availability and performance proactively. Advanced incident reporting capabilities can automate compliance documentation, ensuring financial clients meet strict regulatory timelines with ease.

Additionally, MSPs can leverage eG Enterprise to deliver bespoke risk management frameworks, using AI-powered monitoring and predictive analytics to address vulnerabilities before they impact operations.

By offering these specialized services, MSPs can demonstrate a deep understanding of the unique challenges faced by heavily regulated industries such as financial services. This proactive approach not only builds confidence with customers but also creates new revenue streams, solidifying the MSP’s role as a sustainable partner in ensuring compliance and operational resilience for financial institutions.

Upselling compliance services is just one way in which eG Innovations is already helping our MSP partners grow their businesses; some other ways are included in: How eG Enterprise helps MSPs offering digital workspaces, add value-added services | eG Innovations.

Learn more about eG Enterprise’s capabilities for MSPs

Please do review how we support our MSP partners, here are some links to articles you may find relevant:

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Some information on our work with financial entities is covered in these articles:

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform