Koen Vercauteren, Product Management Leader at Birdseye
As we covered in our previous blog, the Digital Operational Resilience Act (DORA) goes far beyond simply setting up a contract log. True compliance requires an ongoing, organization-wide management process involving multiple departments. That’s why close collaboration between Risk & Compliance, IT, Procurement, and Contract Management is essential.
DORA is designed to break down silos. Organizations that typically operate with strictly separated departments will find that meeting DORA requirements demands a multidisciplinary approach. Risk & Compliance teams not only need insight into contracts with IT vendors, but also a clear understanding of the operational risks those vendors may introduce. That makes close cooperation with IT and Procurement non-negotiable.
While Risk & Compliance is responsible for ensuring regulatory compliance, DORA requires them to take a broader, more integrated view. This includes working closely with IT to understand the technical infrastructure and contract landscape, and with Procurement and Contract Management to ensure that vendor agreements are both compliant and continuously monitored and updated as needed.
Procurement plays a key role in managing contracts and relationships with external vendors and service providers. DORA introduces strict requirements around cyber resilience and ICT risk management—meaning all third-party vendors must meet defined standards for security and continuity.
Procurement teams must negotiate contracts that clearly outline service level agreements (SLAs), cybersecurity obligations, and liability. Only vendors that meet DORA’s standards should be onboarded or retained—this minimizes risk and ensures operational stability.
DORA doesn’t require organizations to appoint a Chief DORA Officer. Responsibility for compliance stays within existing roles, primarily in Risk & Compliance. However, the impact of the regulation extends far beyond this department.
IT is critical to ensuring technical resilience. They oversee the infrastructure and make sure systems are robust and secure. But IT alone can’t assess vendor compliance. That requires input and coordination from Contract Management and Procurement—teams that understand vendor terms and manage contractual enforcement.
Procurement and Contract Management, in turn, must look beyond pricing and delivery terms. Contracts must include clauses for cybersecurity, risk monitoring, and regular reporting. That’s why they need to work closely with Risk & Compliance to ensure that all vendors stay compliant over time.
To make cross-functional collaboration work, several elements need to be in place:
DORA isn’t just an obligation—it’s an opportunity to improve the way teams work together. By forcing departments to look beyond their own scope, DORA encourages an integrated, end-to-end approach to digital resilience.
Organizations that invest in structured, cross-functional collaboration won’t just meet the requirements—they’ll also build a more resilient, future-proof foundation.
In the third and final blog in this series, we’ll explore the most common challenges companies face when trying to manage contracts in line with DORA—and how to overcome them.