April 2025 – By NIS2.news Editorial Team – Danny Zeegers

For managed service providers (MSPs) falling under the scope of the NIS2 Directive, compliance is no longer just about ticking ISO 27001 boxes. With the Digital Operational Resilience Act (DORA) looming for financial-related entities, a practical convergence of frameworks is not only smart—it’s essential.

The Story: Meet SecureNet MSP

SecureNet is a mid-sized European MSP, labeled as an essential ICT service provider under NIS2. The company already has a robust ISO 27001:2022-certified ISMS, built on its Group CCB cybersecurity baseline. As their customer portfolio expands to include fintechs and insurers, DORA knocks at the door.

What happens next is a smart pivot.

From ISO to DORA: Adding the Risk Intelligence Layer

SecureNet’s compliance team, guided by its DPO, CISO, and Risk Manager, realized that ISO 27001 covers the “what”—policies, controls, and governance—but DORA focuses on the “how resilient”.

With the help of a dedicated GRC tool and the updated ESAs’ draft RTS on ICT Risk Management​, SecureNet extended their risk assessment to include:

• Criticality mapping of ICT assets aligned with business impact (Article 8 DORA)
• Scenario-based ICT disruption simulations (Article 11 RTS – BCP testing)
• Continuous monitoring of ICT risk tied to real-time threat intelligence
• Residual risk thresholds defined per DORA Article 6 and documented in the quarterly ICT risk report

“It wasn’t about starting from scratch. We took our ISO-based controls, integrated DORA-specific criteria like business continuity validation, and recalibrated our third-party due diligence for financial customers.”
— CISO, DANNY ZEEGERS – Orangecyberdefense Belgium

Key Lessons for Other MSPs

1. Don’t throw away ISO27001—it’s your foundation. But tailor your risk register to reflect ICT-specific threats as outlined in DORA RTS Chapters I & II.
2. Leverage existing business continuity and incident response plans, but test them now using DORA-styled scenarios (e.g., data breach at a cloud provider, telecom disruption).
3. Automate risk monitoring. DORA expects near-real-time visibility of threats—your GRC tool must align with security ops.

What Compliance Looks Like

SecureNet now issues an ICT Risk Management Report every quarter, including:

• Risk classification and residual acceptance
• Third-party dependency insights (mapped to DORA Articles 28–30)
• Performance of controls under test scenarios
• A formal sign-off by management and CISO

How ISO 27005 Needs to Be Upgraded for DORA Compliance

1. Governance and Accountability (Article 16, para 120–121)

• ISO 27005 alignment gap: ISO 27005 refers to organizational context and responsibilities but is flexible on role formalization.
• Upgrade: Define explicit governance structures and accountability mechanisms tied to ICT risk. DORA requires the management body to be involved in risk oversight—this must be documented and provable.

✅ Add: Clear assignment of risk ownership, defined roles (CISO, management body), documented accountability, and oversight.

---

2. Information Security Policy (para 122)

• ISO 27005 alignment gap: Assumes such a policy exists but doesn’t enforce its alignment to DORA’s operational resilience outcomes.
• Upgrade: Ensure that the Information Security Policy embeds:
  • DORA-aligned risk tolerance thresholds.
  • Objectives for maintaining availability, authenticity, integrity, and confidentiality (AAIC) of ICT services.

✅ Add: DORA-specific references in the IS policy and mapping of operational risk tolerance to service continuity goals.

---

3. Asset Classification (para 123)

• ISO 27005 alignment gap: Supports asset identification and valuation but lacks structured classification across criticality tiers.
• Upgrade: Implement classification schemes for ICT and information assets by:
  • Business criticality
  • Sensitivity (e.g. customer data vs logs)
  • Regulatory exposure (e.g. NIS2, GDPR, DORA)

✅ Add: Formal criticality classification for ICT assets with mapping to risk treatment priorities.

---

4. Risk Management Process (para 124)

• ISO 27005 alignment gap: Fully covers risk identification, assessment, and treatment, but lacks cross-sectoral DORA taxonomy, reporting obligations, and real-time metrics.
• Upgrade: Extend ISO 27005 process with:
  • DORA-aligned taxonomy (per EBA RTS and JC guidelines)
  • Definition of risk acceptance thresholds
  • Quarterly ICT risk reporting to management
  • Incident and threat scenario-based assessments

✅ Add: Integrated metrics, scenario-driven risk analysis, regulatory thresholds.

---

5. ICT Incident Thresholds & Triggers (para 125)

• ISO 27005 alignment gap: Covers incident impact but not real-time alerting thresholds or incident escalation criteria.
• Upgrade: Define:
  • Alert levels based on potential or actual disruption.
  • Trigger criteria for incident escalation and DORA reporting obligations.

✅ Add: Incident response thresholds tied to business impact and critical functions.

---

6. Physical and Environmental Security (para 126)

• ISO 27005 alignment gap: Physical threats are part of the asset-based risk evaluation but not always treated with operational resilience in mind.
• Upgrade: Include:
  • Risk scenarios involving loss of physical ICT assets, like datacenter outages.
  • Link physical controls to business continuity and critical service availability as per DORA.

✅ Add: Integrated BIA on physical threats affecting digital operations.

---

7. Business Continuity and Resilience (para 127 and Chapter III of RTS)

• ISO 27005 alignment gap: Recommends business continuity integration but not enforced as central.
• Upgrade: Mandate linkage to:
  • Business continuity management (BCM)
  • Disaster recovery testing aligned with RTO/RPO expectations for critical ICT

✅ Add: Tested and validated DR scenarios with BIA/RTO integrated in the risk treatment plan.

---

📌 Summary: Upgrade Checklist for ISO 27005 under DORA

DORA Element	ISO 27005 Upgrade Required?	Action
Governance and accountability	✅	Define management body responsibilities explicitly
Information Security Policy	✅	Add DORA-oriented objectives and metrics
ICT Asset Classification	✅	Implement formal criticality-based asset tiers
Incident Triggers & Thresholds	✅	Document thresholds and escalation paths
Continuous Monitoring	✅	Add risk indicators and risk-based alerting
Business Continuity	✅	Link BIA and RTO/RPO to critical ICT risks
Regulatory Taxonomies	✅	Use EBA/DORA-aligned taxonomies for risk types

Final Takeaway

For essential ICT service providers, especially MSPs serving financial entities, the road to NIS2 compliance is just the beginning. DORA compliance isn’t a new framework—it’s an enhanced lens on your operational resilience.

Done right, extending your ISO 27001 foundation with DORA’s structured risk practices gives your business a serious edge—and earns the trust of Europe’s financial system.