Digital Operational Resilience Act (DORA) Steps for IT contractors to achieve compliance
27th January, 2025
The European Union's Digital Operational Resilience Act (DORA) is a critical piece of legislation that is designed to strengthen the ability of financial entities to manage and respond to cyber risks, and maintain secure financial markets in the face of technological threats.
Whilst DORA is an EU regulation, it impacts suppliers to EU financial institutions, either direct or as part of a supply chain, where a failure of that supplier’s service would materially impact the operations of that financial institution.
Over recent months since DORA’s implementation, we have seen our UK IT supply chain clients being asked about DORA compliance and contractual flowdowns being imposed against DORA requirements.
In this article we summarise the impact of DORA on UK suppliers and subcontractors, and suggest how businesses who are in the supply chain for financial institutions should be working towards compliance.
Key Provisions
-
Review and update internal risk management processes for DORA compliance
DORA requires financial institutions and their third party service providers to adopt robust risk management frameworks to identify, assess and mitigate ICT risks, and establish comprehensive business policies to ensure that both direct and indirect risks are adequately addressed. Subcontractors and suppliers will increasingly find that these DORA obligations are passed through contractually.
UK suppliers should review their internal risk identification processes, vulnerability management and cybersecurity practices (including encryption, multi-factor authentication, and other protective measures) against DORA requirements, and should be prepared to demonstrate that their systems are resilient against emerging data breaches and cyber threats.
-
Implement DORA compliant reporting procedures
Under DORA, all supply chain entities are required to maintain internal reporting procedures for any significant ICT-related incidents to ensure that any disruptions are identified and acted upon quickly. This includes requirements for reporting incidents to clients and, if necessary, regulatory authorities within 24 hours.
UK suppliers will need to consider implementing similar internal reporting procedures for ICT incidents and establish clear communication lines with their client. Developing a streamlined protocol for reporting disruptions promptly will be critical in meeting DORA’s requirements.
-
Prepare for heightened due diligence and contract negotiation
One of the most critical aspects of DORA is its emphasis on third party risk management. This provision requires financial institutes to conduct regular risk assessments of the risks posed by third party service providers and subcontractors, especially in terms of system vulnerabilities and service disruptions.
UK suppliers and subcontractors must prepare for heightened due diligence requirements from their clients – not just on their own systems but on any subcontracted elements. Negotiating comprehensive business continuity provisions in subcontract agreements will become increasingly important, along with reviewing the commercial implications of such requirements before contract signatures.
-
Be prepared for resilience testing
The regulation requires financial institutions to regularly test their systems for resilience to identify, mitigate and eliminate any critical gaps in the resilience measures.
UK suppliers can expect to see more stringent provisions from their clients around resilience and testing, including vulnerability assessments, disaster recovery plan evaluation, system stress tests. Suppliers will likely be required to undertake testing and pick up the cost and time associated with these testing requirements.
-
Update information sharing policies and ensure contractual and GDPR compliance if sharing data
DORA encourages financial institutions, regulators and third party service providers to establish cross-border arrangements amongst themselves to address the risk of ICT incidents and share relevant information during and after any such incident.
UK suppliers should consider their information sharing protocols and policies, and assess what impact sharing to DORA regulated entities or their subcontractors may have on existing policies, including commercial data and importantly any personal data in accordance with GDPR. This will involve reviewing confidentiality agreements, data sharing provisions, and ensuring compliance with any data protection laws across jurisdictions.
How we can help
We are currently advising UK supply chain businesses and assisting with their compliance with the above areas, including:
- Undertaking gap analysis work of supplier processes, policies and contracts against DORA compliance;
- Advising on information sharing requests within contracts as against GDPR compliance and negotiating accordingly;
- Negotiating DORA flowdown provisions within supply chain contracts.
To discuss the impact of DORA on your business and how Ward Hadaway can help, please get in touch.
Article co-authored by Divyanshi Gupta, Trainee Solicitor.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.
