Behind the Scenes Episode 359: Exploring DORA

Welcome to the Episode 359, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”



Before the war in Ukraine started, a rash of cybersecurity incidents started to crop up – particularly in the Ukrainian financial sector and against government websites. This created a substantial amount of chaos with the day to day operations in Ukraine, and a week later, Russia invaded.

In the wake of these and other cyber attacks against critical infrastructure across the globe, countries are starting to realize that data security is a vital part of national security.

This week on the podcast, NetApp’s Adam Gale (, LinkedIn)joins us to discuss a new set of regulations around cyber security, data protection and more called the Digital Operational Resiliency Act (DORA). 

For more information on DORA:

Finding the Podcast

You can find this week’s episode here:

I’ve also resurrected the YouTube playlist. You can find this week’s episode here:

You can also find the Tech ONTAP Podcast on:

I also recently got asked how to leverage RSS for the podcast. You can do that here:


The following transcript was generated using Descript’s speech to text service and then further edited. As it is AI generated, YMMV.

Episode 359: Exploring DORA

Justin Parisi: This week on the Tech ONTAP podcast, we talk about the new cybersecurity and resiliency regulations in EMEA called DORA with Adam Gale.

Podcast Intro/Outro: [PodcastIntro/outro]

Justin Parisi: Hello and welcome to the Tech ONTAP Podcast. My name is Justin Parisi. I’m here in the basement of my house and with me today I have a special guest to talk to us all about some new regulatory stuff in the United Kingdom. So with us today we have Adam Gale. Adam, what do you do here at NetApp? How do we reach you?

Adam Gale: Hi. Hi. I am, as you said, Adam. I’m an executive architect. So I deal with all things architectural related in NetApp and I work in professional services. And yeah, you can contact me at my email address, which is Adam.Gale@NetApp. Gale is spelled g-a-l-e or you can get me at LinkedIn again, Adam Gale.

Justin Parisi: All right, so when you do architecture type of work, there’s a lot to consider, right? There’s the equipment, there’s the setup, there’s the configuration, there’s the installation, there’s the business use case, there’s the workloads, and then you also have the compliance and governance piece of the data. So with regulations and that sort of thing, it can really complicate things. Can you gimme an overview as an architect? What sort of things you have to consider when you go into a a business when you start thinking about data governance and compliance.

Adam Gale: Absolutely. This is an area that I’m particularly interested in and I think one of the first things that comes to mind when I think of compliance and governance is knowing where you’ve been so you know where you’re going. In other words, if you know what you’ve got, you know what to do with it.

So the first thing I talk about with my customers is doing a data discovery exercise, looking around the business, seeing what data you have, what buckets it belongs in, whether it’s PPI, personal identifying information, that sort of thing, or whether it’s trading information and then putting it into those logical buckets, and then you can start making informed decisions for governing this data, placing it in the right places, and applying the right protection policies, those sorts of things.

I’ve come from a financial background having worked in storage and in the financial industry there is a lot of governance and regulation. A lot. So that’s why I’m quite interested in this subject and one piece of governance I would love to talk to you about today is DORA, which is the Digital Operational Resiliency Act, which is an EU specific piece of legislation.

But it’s a fantastic bit of legislation I’m quite excited about, and that sounds odd to be excited about legislation, but this is a prime day legislation that shows when you consult industry and when you rethink about it and you build on the good work that’s already been done in governance legislation, you can build a framework that can really create positive effects, and particularly in this industry around cybersecurity.

So to answer your question, when coming from architecture, I like to come in from a governance point of view, particularly in the finance industry.

Justin Parisi: There are a good number of people that have problems with regulations and that sort of thing, they think it’s overreach, they think it’s maybe not necessary, but in a lot of cases it’s a protection piece.

It’s protecting your data, it’s protecting your information, it’s protecting your business. And the compliance and the regulations and the lAWS that go into place are often done so because businesses don’t always do a great job of doing this themselves. They put it on the back burner because there’s not a good return on investment when you have to incorporate these sort of regulations. It can get expensive. So that said, this new regulatory compliance thing called DORA, what exactly does it do? Why would a government implement something like that?

Adam Gale: Good question. So if I were to summarize it, really just break down into one sentence, which is drastically oversimplifying a 102 page document of size eight text.

But I would summarize it as, DORA is an attempt to harmonize security across the EU financial sector. And you notice that I say financial sector and I say that specifically because this isn’t just banking, which is the natural thing you would jump to when you think financial sector. This particular bit of legislation targets, banks, third party ICT providers. So think cloud, those sort of things. Insurance, crypto, trading, pensions. It is all encompassing and that list carries on. There is more to it and it is, as I said, an attempt to harmonize security across the EU financial sector and there’s been a lot of good work already done with bolstering the financial sector, particularly when it comes to things like weathering financial storms.

But there hasn’t been a lot when it comes to weathering finance cybersecurity threats, and that is something that I think we all are well aware of is on the increase constantly. I think as a precursor to the war in Ukraine, we saw some significant cyber threats, particularly in the financial institutions in Ukraine, where they cause massive disruption.

And we look at that now and think, well, we have to bolster something which is critical to our way of life, to our fabric. If you can imagine if someone took down the financial institutions or stopped our ability to, for example, use SWIFT, which is ability to move money between banks, that’s the mechanism they use.

It could cause havoc. So this harmonization of security across the finance sector is critical and that is what DORA attempts to achieve. And it does that by building on a lot of the existing frameworks such as the network of information and systems. That’s a bit of regulation, which is really good.

It builds on that. And you probably already heard of cybersecurity frameworks published by people like the National Institute of Standards of Technologies. They’ve got a really good cyber framework, and you can see elements of that in DORA. And just to answer, I’ll speak to a point you mentioned earlier.

A lot of people think that governance regulation is overreach, but this is one of the few pieces that I’ve seen that’s had a really positive reception. The ECU – the ECUC – wow, that’s a mouthful. The European Cloud User Coalition. They’re a group of financiary institutions that get together and generally criticize this whole thing have actually had really positive response to this piece of legislation.

They said, this is fantastic. It’s got a really good couple of pieces in it, which I’m hoping to speak about today that we can take note of and think, yeah, let’s build that into our cyber resiliency plan. Let’s look at that. Let’s bolster our defenses.

Justin Parisi: And as I mentioned, these are done usually to protect businesses and individuals, but in this case, it sounds like it’s also done to protect national security interests because it’s becoming more apparent, as you mentioned with the war in Ukraine, that data security is now national security.

Adam Gale: Absolutely. Yes. I would say it’s just as important now as we look at our things like water utilities. That’s considered critical infrastructure. If you were to remove our ability to access clean water, that would be a significant threat. And if you remove our ability to access our financial institutions, that would also be a significant threat.

So I would lump those two in together. Hence the reason why this has been paid such particular attention. And some of the parts of DORA are really fantastic. I think European Union sees the writing on the wall. Every financial institutional, every customer for that matter I’ve spoken to, has some sort of journey to the cloud. I’ve talked to large banks, they’re putting workloads in it. I talked to payment processing companies. They’re putting workloads. They’re all doing it. And the EU sees this and I think we can’t stop it. That’s fine. But what they want to do is hedge the risk and not putting all your eggs in one basket. So don’t go put all your critical services in Azure and then someone changes the DNS record and it all becomes completely unavailable for a period of time. DORA says have a backup plan, have the ability to repatriate your data or services should a cloud provider fail.

And in the legislation they refer to them as third party ICT providers, but you could read that as cloud or something like that and it has other really cool bits in it too, which are, have the ability to move workloads from ICT providers to another one. So if you are gonna put your Active Directory or you put your payment and processing software in the cloud, which is absolutely key, make sure you can move it seamlessly and quickly to another cloud should you have a failure.

Now, I imagine people like NetApp, people are realizing, oh, that’s great. That feeds in beautifully to what we do in NetApp, doesn’t it? We can address the multicloud story and we can put workloads in multiple places. So when I was reading this and going through it, one, I was thinking, this is really well written.

It’s written by some really smart people, and two, it’s actually helpful. That’s good stuff. Yeah. I want to not be putting all my eggs in one basket. I want to have a backup plan should I need to repatriate that data and things like that.

Justin Parisi: Yeah. And I’m actually surprised this didn’t happen sooner.

I know there was a breach of, was it NHS? Like, five years ago or so with the ransomware attack. And I would’ve thought that would’ve spurred some of this happening sooner, but maybe that got the ball rolling and then the Ukraine thing was maybe this reality check that was like, okay, this is really a serious problem.

Adam Gale: Well, interesting you should mention that DORA’s been in the works for a while, but if you recall GDPR, that was one of those things that I think made a big splash and I’d refer to as having the California effect, which is where California sets some standards and they’re generally very stricter standards.

I’ll use the automotive industry for an example. Their emission standards are very strict, so car manufacturers will generally just adhere to those strict emission standards throughout the world, rather than build multiple cars with different emission standards. So a lot of organizations, when GDPR came out, said, let’s just adhere to GDPR because we’re at some point gonna operate in the EU.

And if they didn’t adhere to it, they just pulled out businesses there. So I see DORA having something of a similar effect. And similar to GDPR, DORA, they started building the proposals back in late 2020. And only recently as adoption day started, which was 2022, we’re currently in a grace period, which means that it’s published, it’s fully accessible, there’s links online.

You can go and read this 102 page size eight document and you’ve got until 2025 before enforcement starts. And by enforcement I mean similar to the way GDPR was enforced. They can find you. They will come and ask for things like, show me your business continuity. Prove to me that you can repatriate data from the cloud providers and show me all these good things that we’ve talked about.

And if you fail to adhere some of the regulation, they can find you. And similar to GDPR, the actual mechanism is a periodic penalty payment of 1% of the average yearly worldwide turnover. So you can imagine for the big providers, for AWS, it’s Googles and that sort of thing, 1% of the average daily worldwide turnover is a very large amount. So people will sit up and notice, and I’ve heard some people comment, oh, well, you know, GDPR didn’t really get enforce, did it? People either left or they just complied to it. Well, it did get enforced.

It really did. H&M recently got fined something like 14 million dollars. You know, there’s been a couple of good examples if you Google them, of they really did apply the GDPR penalties to businesses that were non-compliant. And I see them doing exactly that with this. It’s all there. We’ve got two years to prepare for it.

NetApp can help prepare for it, I should say, as well. And if we don’t, they will apply fines.

Justin Parisi: So has anyone ever done kind of a cost analysis of the amount of money you would spend on fines versus the amount of money it would take to be in compliance with GDPR? Is there an easy way to understand that it’s probably better to go ahead and just take care of it rather than getting fined?

Adam Gale: You know, that’s a really good question actually. I don’t think that’s something that I’ve ever done, but I know you’ve mentioned that I’m gonna take that idea and pretend it’s my own and create a spreadsheet. Yeah, I haven’t done that.

But I think someone should

Justin Parisi: This happens with everything, whether it’s disaster recovery plans, backup plans, cybersecurity plans, right? Companies have a really hard time visualizing the monetary impact of doing these things, and they’re willing to take the risk on of potentially getting fined or breached rather than spending that upfront money because they can’t see the return on investment.

Adam Gale: Mm-hmm. Mm-hmm. And I think sometimes organizations just see fines as cost of doing business, but with this being a penalty payment of about 1% of the average daily worldwide turnover, it gets quite punitive. So I think this one is one of the good ones. I mean, we could easily apply this to figures we can get online, I think, from someone like AWS or Google, and then just start modeling it out. So that’s definitely something I’m gonna do after this podcast actually, I’m gonna go create a spreadsheet.

Justin Parisi: All right.

Adam Gale: Thanks for the idea.

Justin Parisi: Feel free to use that as your own idea. I’m okay with that. So as far as this regulation goes, when does it kick in? Is it already in place or does it get phased in over the next few months or years?

Adam Gale: So it’s in the grace period now. So from 2023, which we’re in now, obviously till the beginning of 2025 is the grace period where it’s all fully accessible and you can even query it.

You can, I’ve emailed the governing bodies and ask them questions about it, and they do respond. So you can ask them and say, how do I do this? How do I prove that? Those sort of questions. I asked a timeline question about the grace period and they responded pretty quickly. So you can ask those questions and start preparing now.

And then in the beginning of 2025 is when they’ll start applying fines. So basically coming and asking for information. Some of the things they’re probably gonna ask you for, I think is, please provide me documentation of your business continuity plan, and please show me your frequency of testing because DORA does say annually test your backup plans. Annually test your ability to repatriate data, all those sort of good things, and they’ll want to see that. And if you don’t show it, or you just basically won’t respond to them. That’s when they’ll apply fines. There’s also other parts of this too, which is the reporting element. So a really good part of this is what they want the institutions to do is to start collaborating, sharing knowledge, and this already happens to a certain extent in some of the larger businesses. I’ve seen some of the large banks, the CISO set up forums and they’ll talk amongst themselves and discuss threats and how they plug those gaps. But what DORA are asking, or EU are asking is to formalize this. Start those discussions with your peers and when you are subject to an attack there is guidance about reporting into the ESAs. Now, the ESAs are the European Supervisory Authorities, and there’s an ESA for each vertical. So there’s an ESA for banking, there’s an ESA for insurance, for example. And if you are subject to a threat, so for example, someone managed to get in and start exposing my data and trying to ask me for some money, I have to report in to the ESA and I have to do it within a certain timeline, and I have to do it within the guidance that they’ve stipulated. And then once I’ve plugged the gap or we’ve dealt with the issue, I need to remediate the risk so it doesn’t happen again, and I need to report back on how I did that too.

So there’s a really good reporting element of this. And I think this is just a personal opinion. This is not something that I’ve read. I think this is a really good way of mapping security threats and seeing almost like a weather map of where they’re coming from or the vectors that people are taking.

And I think that’s gonna be a really powerful tool. Really powerful, indeed. And I should add as well, that When you read DORA, it is very lenient. I mentioned penalties here a few times, like I’m trying to scare people. But what they’re actually trying to do is foster a sense of being fair.

They’re not going to penalize organizations who are one or two people and don’t have all these resources they can bring to bear. So they will be proportionate. And there is leeway, but they’re also saying that when you’re storing critical data, which is very important, you should pay attention to it and you should put all the right mechanisms in place.

And if you’re a big organization with lots of resources and you are seen to be doing nothing, they won’t stand for that either. So there is a lot of proportionality in this, and I think it’s very well written in that sense.

Justin Parisi: Sounds like it’s just taking what we’ve always called best practices and tweaking it a bit to make them required practices.

Adam Gale: It does, doesn’t it? And I think that’s where, as I mentioned at the beginning, this is sort of like an overall harmonization of security. So it takes all those best practices you just mentioned in our existing cyber frameworks, and pulling them all under one banner and then adding in a few additional bits like this ability to repatriate data and it formalizes as well, conducting threat LED penetration testing, those sort of things, and provide standard templates. And then the ESAs, who I mentioned earlier, the European Supervisory Authorities, they will be publishing further technical standards in the future as well to feed into this for their individual areas. So an ESA, for example, for trading will publish something around those, around what they should be doing additionally or what specifically to them.

And the ESAs were also published, who the third party ICT providers are. They’ll say, here’s our list of well-known ICT providers. And I mean, obviously they’re gonna point fingers at people like Google and AWS and people like that. All the big three or four ones. But yes, I think you’re absolutely right there.

This is best practice rolled up into one document with a few additional really good bits, which help us in our cyber protection journey.

Justin Parisi: It’s just a giant punitive TR. That’s all it is. It’s funny cuz like in the States here, our infrastructure, our government, tends to run a little bit behind the curve with technology. They’ll have things that have been working for years. It’s expensive to replace. Maybe the applications are catered to this specific operating system or architecture. So I think that something like DORA isn’t really possible here yet, but I do think that it might be something that is necessary in the future because when you have old systems like that, they can become very vulnerable to attack.

And our infrastructure has some age on it and we don’t necessarily put the money into it that other places might put into it that you would see maybe in Europe. So, that said, do you see countries adopting similar regulations, maybe not just the States, but like maybe South America or maybe in APAC.

Are countries starting to look at DORA as a blueprint for how to do their own regulations?

Adam Gale: I think they are. Yes. I know in the UK we have something similar in the works. I don’t think it’s published yet, and I forget the name of it, but it is gonna be very similar with our additional tweaks onto it.

As you probably know, unfortunately, we exited the European Union a little while ago, so we’ll be writing our own legislation, governing our own things. But I should add that any financial institution, for example, operates in the UK and the EU. They have to adhere to this if they’re operating in the EU.

And I have noticed that America has some really good legislation. I’m not totally up to date with it, but I wouldn’t be surprised if at some point there is something similar to this. With the convergence on cloud, I think everybody sees the risks. Everybody sees that if we keep on putting all our eggs in one basket that’s a threat in itself.

There is strength and diversity when we have multiple workloads, being able to move around different providers and such as that. So, yep, there definitely is. And there will be one for LATAM as well. And when these are cropping up, I am putting them on my radar. Writing about them, thinking about them.

And then it’s kind of obvious too, it’s quite fun when you read these things because you can see who they’ve borrowed stuff from. I guess there’s no point of reinventing the wheel every time. They will go to existing frameworks and not exactly copy and paste, but they’ll take a chunk of it and go, that’s brilliant.

Let’s put that in our own words and let’s put that specific to our country. So yeah, they definitely borrow from each other and there will be regulation coming to bear, I’d imagine in the US and there is some in the UK and LATAM and other areas too.

Justin Parisi: Yeah, it sounds like rather than just borrowing from everybody else and using the same ideas, it might be time for an international standard.

Right? Having a set list of rules and regulations that everyone complies with and when you comply with it, you are considered within the standard.

Adam Gale: That would be the dream for me. I would love that. That would be fantastic if we could group everything under one global reference or framework, all work together, similar to the way in the EU, maybe the ESAs could be countries feeding up into one global strategy.

That would be brilliant. Yeah, I would hope we see that sort of thing in the future that sort of cohesion and working together. Definitely.

Justin Parisi: Maybe we’ll get it after the States adopt the metric system.

Adam Gale: Yeah, maybe, maybe . I would love it if the state’s adopted the metric system. I really would. I mean, but this is coming from a country that uses miles per hour to gauge our speed of our cars, but then discusses things in meters.

So we can’t make our minds up either.

Justin Parisi: But you guys have it in both, right? I think we have it too. I think we have kilometers per hour as well as miles per hour in the same speedometer, whatever.

Adam Gale: We do, we haven’t on our speedometers, but our road signs are all in miles per hour.

And I guess in general, most people talk about miles per hour, but if I’m gonna measure my room, I’m gonna give it to you in meters. So I pick and choose metric and then don’t even get started on the way we measure drinks because that’s just a whole new level of complicated.

Justin Parisi: For sure. All right.

So, I know that NetApp has some solutions that we position for cybersecurity and resiliency. As an architect, you have to think about these things every day. So I would imagine you have a short list of things that you bring up with your customers when you’re trying to tell them how to set things up, right? What is the pitch that you give to your customers when you’re doing this?

Adam Gale: First of all, it does depend on where the customer is in their journey. Generally, when you speak to large organizations, as you mentioned, this is best practice with some stuff led on top. So they’re really quite far down the journey, in which case, that’s great.

You can just show them the stuff that you think they’re missing and start plugging those gaps. But if it’s an organization that hasn’t really started, you kind of wanna start from the beginning. And as I said, look at where you’ve been and what you’ve got. Because if you know what you’ve got, you can then start planning where you’re gonna go and what you can do with it.

And then I built a five step program. I say that like it’s something special, but it’s just. First, identify all the key people in your organization, roles and responsibilities. Who would be affected by this, who need to know about it? So a medium sized business. Go look at your CISO, for example, or go talk to your data protection officer.

Go get those people and say, are you aware of this? And then step two would be look around all your third party ICT providers. So for example, if we took a UK business but we operated in the EU, too, go look at all the third party. Are we using cloud? Are we using a payment processing, electronic money institutions?

Are we using credit institutions? They’re all things that I need to be looking at and saying, let’s put them on the list and let’s start asking them what they’re doing about DORA, and then let’s look at at what information we’re storing with them. So it kind of follows a logical process of steps to go through it to start identifying where you are and what to start doing.

And then for the more advanced people there is the tools and resources we can bring to bear and NetApp. And I guess as I’ve been saying this, alarm bells have been ringing. We have, in my opinion, pretty much the best portfolio of products and services to bring to bear. As I was reading DORA, I was like, oh, wow, is someone from NetApp working in EU writing this?

Because we’ve got all the cool stuff. We’ve got the multicloud journey. We can move workloads between it. To answer that question about having no one workload in one place, and that being a single point of failure. We have immutable backups, we have snapping that we can automate when there’s been a breach of some sort.

And then we can even automate reporting and responses. So that’s fantastic cuz that answers the reporting element of DORA as well and we’ve got all the great documentation. I’ll go even one step further and we have some of the best ransomware protection services available on the market, such as behavioral analytics beyond box stuff, which I’ve been playing with myself, and it’s just phenomenal.

So we really do, depending on the journey of the customer, how far along the are, start talking about some of these great tools that we can use. One of my favorite one is the dedicated threat monitoring service. The one that you know is run by a team of experts. 24 by seven, 365 days a year where NetApp will help you in the event of a breach.

And we’ll keep all your code and all your things up to date. I’m probably telling you things that you absolutely already know and everyone else already knows, but to me this is quite exciting stuff. So that’s one that I definitely like to talk about with customers because there is a massive amount of protection afforded in there.

One of the main tools, which always, always gets a lot of air time with my customers and questions is the classification and location of our data. The fact that we could use BlueXP to look at things and say, where is the data? Where does it sit? And you can get a nice little map of it and we could look at open permissions, those sort of things like how much of the data in my organization is open to the entirety of the company because that would be a security risk.

Having data that’s open to everyone unless it was meant to be, those sort of things are super powerful and then been able to place them in buckets and start the journey from there. So I guess in response to your question, I bring to bear pretty much everything NetApp has and we have some of the best stuff to answer the questions here in DORA.

And it’s fun talking about it. Obviously everyone wants to be on the winning team, don’t they? And I quite like talking about this because we have an answer and we can help. We certainly can help.

Justin Parisi: And I know there’s some off- tap stuff, where you have Cloud Data Sense and Cloud Insights.

Are you talking to customers about those as well?

Adam Gale: Yes, we are. Yeah, we’re definitely talking to ’em about those. Generally I bring a specialist along with me to discuss those things. Cause being relatively new to NetApp, I don’t know all the terms and tend to get mixed up a little bit, I should say.

I’ve already been here about five months, six months now, I think. So I tend to bring a specialist along with me to have a chit chat, but we are definitely talking about those things. Yeah. And those are things that help us on that journey to building a a solid cybersecurity plan.

Justin Parisi: So when you’re talking to companies about the new regulatory environments and you bring NetApp into the discussion, what’s the response like? Is it surprise? Is it, you know, Hey, I didn’t know you had all this stuff. That’s pretty cool. Or is it just indifference like, oh yeah, everybody has this.

Adam Gale: I would say it’s definitely one of surprise. I spoke to a payment processing organization only yesterday, actually. And they’re an American based company, but they have offices and they have subsidiaries in the European Union.

So it was very important to them to look at this. One, they were surprised cuz they didn’t even know what it was. So when we went back to GDPR and I talked about GDPR and then likened it to that and likened it to the way that this is gonna be like that, with fines, but for financial institutions and we need to look at our data and what we’ve got and where we’re placing it.

It started, you know, making them think and they’re like, oh yeah, great, great. And then we got to the end of it and then went, okay, I’m a bit worried now. And I was like, why a bit worried? And we said, well, we don’t know what to do. And then we started talking about all the things that NetApp does and can do.

All the things that I’ve kind of talked about, like a gap analysis or using Data Sense and those sort of things, and looking at the whole thing holistically too. So for example looking at your endpoint protection, your network, your applications, and your data. So defense in depth, and NetApp can help all along the way, right down to the crown jewels, which is your data, with really cool technologies like the encryption blocking or MAV, which I think Multi Administrative Verification. I love talking about that one actually. Cause I always give someone the idea of, it reminds me of two people turning the nuclear keys in a nuclear submarine in a Hollywood movie.

Like it takes two people to do a mass event, like a massive delete or a massive copy or something like that on a NetApp box. Then you can use MAV to stop these bad things happening. Stop your data being mass deleted, or something along those lines. So one, they started off a little bit shocked.

They were, oh, great, we, we need to get on top of this. And then they were a little bit like, oh, how, where do we start? And then when we started talking about all the products and services that NetApp have that fit into this, they were about all brilliant. Brilliant. I think we kind of eased their concern a little bit and I think they were happy that they already had us in play and were talking to us and we’ve started down that journey now of looking at their data, classifying, placing into buckets and saying, what are we gonna do with each one?

Justin Parisi: All right. Adam, sounds like we got a lot to think about when we are talking about regulation and compliance, and DORA sounds like a really good advancement in that space. So if we wanted to find more information about this or NetApp products or anything that you do where would we do that?

Adam Gale: So first of off, you can just Google DORA.

And there is a link obviously in Google to the Legislative Act itself. It is a bit of a difficult read, as I said. So I’ve got a document where I’ve just taken all that and then condensed it into easy speak. Feel free to reach out to me and you can peruse that at your leisure. And I have like the five easy steps to get going into.

And I’ve also created a one pager for any account teams at NetApp that are interested in this, which is just, what is DORA? Why and when, and then some of the services that we have, that can help. But if anyone wants to talk at all for any reason, feel free to pick up the phone and just give me a call or email me or hit me on social media.

Anything more than happy to engage and love to speak to customers. So anything at all, please do get in touch.

Justin Parisi: So Adam, when I Google DORA, I get this.

Dora: Hi, I’m Baby Bear. Hi Baby Bear. I’m Dora and I’m Boots. We’re going the Bears House with very sleepy bear. We gotta keep her up until we get there. I wanna see my mama before a winter’s nap. I gotta stay awake. Gotta stay awake till we get back.

Justin Parisi: Are you familiar Dora the Explorer?

Adam Gale: I am, I am. It’s funny because my wife looks like Dora, which she’s an adult, right? I’m not married to a small cartoon character.

Justin Parisi: All right. So Adam, again, thank you for joining us and talking to us all about the regulatory environment with DORA, as well as how NetApp can help.

All right, that music tells me it’s time to go. If you’d like to get in touch with us, send us an email to or send us a tweet @NetApp. As always, if you’d like to subscribe, find us on iTunes, Spotify, Google Play, iHeartRadio, SoundCloud, Stitcher, or via a If you liked the show today, leave us a review.

On behalf of the entire Tech ONTAP Podcast team, I’d like to thank Adam Gale for joining us today. As always, thanks for listening.

Podcast Intro/Outro: [Outro]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s