Brussels – April 2025 – With the European Supervisory Authorities (ESAs) publishing the final Regulatory Technical Standards (RTS) under DORA, the spotlight now turns to essential Managed Service Providers (MSPs) serving financial entities. As these MSPs also fall under the NIS2 Directive, they face a dual regulatory obligation — and the bar for compliance has just been raised.
What’s New in the RTS?
The RTS, finalized under Article 15 of DORA, defines detailed ICT risk management expectations that will become enforceable by January 17, 2025. These include:
- Structured ICT security policies across encryption, change management, and asset classification
- Rigorous access controls and identity management including anomaly detection based on user behavior
- Full lifecycle ICT incident response and recovery procedures, down to evidence collection and backup validation
- Defined requirements for third-party risk, particularly cloud and outsourced ICT services
- A harmonized reporting format for ICT risk management reviews
Although technology-neutral, these standards embed strict process maturity expectations drawn from ISO 27001, NIST CSF, and the EBA/EIOPA guidelines — meaning MSPs can no longer operate without fully aligned frameworks.
🛡 Why This Matters to NIS2 Essential MSPs
MSPs designated as NIS2 essential entities — particularly those serving financial sector clients — now face two layers of digital resilience compliance:
- NIS2 obligations around network and information system security
- DORA-mandated ICT risk management, when providing services to banks, insurers, pension funds, or asset managers
The RTS draws a clear line: critical or important functions outsourced to MSPs are subject to the same resilience standards as internal functions. This makes MSPs accountable not just for uptime, but for full-stack cyber maturity.
What MSPs Must Do Now
- Map Services to DORA Impact: Identify which offerings (monitoring, consulting, cloud, app testing) qualify as supporting critical functions under DORA.
- Implement a Harmonized ICT Risk Framework: Align your policies with the RTS requirements across encryption, access, network security, and incident response.
- Ensure Audit-Ready Documentation: DORA requires annual ICT risk reviews to be documented in a standard format for competent authorities.
- Engage Proactively with Clients: Offer DORA-resilient service add-ons like tested continuity plans, anomaly detection, and third-party monitoring.
Competitive Advantage for Compliant MSPs
MSPs that can demonstrate RTS-aligned resilience capabilities position themselves as strategic partners in a new regulatory era. Rather than being just suppliers, compliant MSPs can co-own digital operational resilience with their clients — a move that will be non-negotiable in the post-January 2025 financial landscape.
Essential MSPs and DORA: Gaps That Could Cost You – What NBB and the RTS Reveal
As the European Supervisory Authorities release the final RTS under DORA, the regulatory lens is narrowing in on essential Managed Service Providers (MSPs), particularly those active in Belgium under NIS2. For MSPs serving financial institutions, compliance isn’t just a checklist — it’s a structural transformation. But many still fall short of what DORA and the National Bank of Belgium (NBB) now expect.
Key Compliance Gaps Holding MSPs Back
1. Governance, Risk, and Compliance (GRC) Frameworks Are Too Generic
Many MSPs operate GRC models that lack the sector-specific controls, traceability, and structure that DORA now demands. Current risk registers often don’t:
- Link operational risks to digital processes
- Reflect real-time changes in threat exposure
- Integrate SCRM (Supply Chain Risk Management) and third-party impact scoring
2. Missing or Weak ICT Incident Monitoring and Reporting Pipelines
Despite DORA’s clear timeline for incident escalation (within 4 hours for major incidents), many MSPs lack automated detection and alerting workflows:
- No clear trigger thresholds or alert criteria
- Lack of accountability on reporting timelines
- Manual dependency for escalation decisions
3. Supplier and Sub-Processor Management is Superficial
Supply chain risk is a central pillar of DORA — yet most MSPs do not perform:
- Formal supplier tiering based on criticality
- Lifecycle security assessments beyond onboarding
- Continuous monitoring of subcontractor risk exposure
4. Contracts Do Not Match the Risk
One of the most severe gaps: MSP contracts are not aligned with DORA requirements or the operational reality:
- SLAs lack resilience or incident response clauses
- No rights to audit or terminate for non-compliance
- No clear data ownership or exit/transition procedures This violates both DORA’s outsourcing guidelines and the NBB’s expectations on ICT and cloud service oversight.
🇪🇺 What NBB Expects – and What MSPs Must Deliver
The National Bank of Belgium (as DORA’s competent authority in Belgium) has stressed enhanced supplier accountability. MSPs must:
- Offer contractual guarantees for ICT resilience
- Implement continuous risk monitoring
- Structure service delivery and policies in audit-ready form
NBB guidance echoes that outsourcing does not mean outsourcing responsibility. Financial institutions remain accountable — and so must their MSPs.
What MSPs Must Urgently Implement
- A DORA-aligned GRC framework, integrating SCRM, threat modeling, and incident severity classification
- An automated incident detection and escalation engine linked to DORA reporting deadlines
- A full contract review process ensuring all client SLAs and DPAs meet DORA’s outsourcing and risk transfer provisions
- A documented and ongoing supplier evaluation system, including periodic audits and continuous monitoring
Bottom Line
MSPs can no longer operate with outdated templates and passive oversight. With the RTS now final, and the NBB’s scrutiny growing sharper, DORA-readiness must be embedded in the DNA of every essential ICT provider. Those who adapt will not just retain contracts — they will lead.
In summary: The publication of the DORA RTS marks a turning point. For NIS2-essential MSPs delivering services to financial clients, DORA compliance is no longer optional — it’s foundational. Those who step up will not only meet expectations but set the standard.
The real Truth can be found here: Download RTS
