As we covered in our previous blog, the Digital Operational Resilience Act (DORA) goes far beyond simply setting up a contract log. True compliance requires an ongoing, organization-wide management process involving multiple departments. That’s why close collaboration between Risk & Compliance, IT, Procurement, and Contract Management is essential.

Why collaboration is the foundation of DORA compliance

DORA is designed to break down silos. Organizations that typically operate with strictly separated departments will find that meeting DORA requirements demands a multidisciplinary approach. Risk & Compliance teams not only need insight into contracts with IT vendors, but also a clear understanding of the operational risks those vendors may introduce. That makes close cooperation with IT and Procurement non-negotiable.

While Risk & Compliance is responsible for ensuring regulatory compliance, DORA requires them to take a broader, more integrated view. This includes working closely with IT to understand the technical infrastructure and contract landscape, and with Procurement and Contract Management to ensure that vendor agreements are both compliant and continuously monitored and updated as needed.

Managing external vendors under DORA requirements

Procurement plays a key role in managing contracts and relationships with external vendors and service providers. DORA introduces strict requirements around cyber resilience and ICT risk management—meaning all third-party vendors must meet defined standards for security and continuity.

Procurement teams must negotiate contracts that clearly outline service level agreements (SLAs), cybersecurity obligations, and liability. Only vendors that meet DORA’s standards should be onboarded or retained—this minimizes risk and ensures operational stability.

No ‘CDO’—Just Shared Responsibility

DORA doesn’t require organizations to appoint a Chief DORA Officer. Responsibility for compliance stays within existing roles, primarily in Risk & Compliance. However, the impact of the regulation extends far beyond this department.

IT is critical to ensuring technical resilience. They oversee the infrastructure and make sure systems are robust and secure. But IT alone can’t assess vendor compliance. That requires input and coordination from Contract Management and Procurement—teams that understand vendor terms and manage contractual enforcement.

Procurement and Contract Management, in turn, must look beyond pricing and delivery terms. Contracts must include clauses for cybersecurity, risk monitoring, and regular reporting. That’s why they need to work closely with Risk & Compliance to ensure that all vendors stay compliant over time.

What does this successful collaboration look like?

To make cross-functional collaboration work, several elements need to be in place:

• Clear responsibilities: Every team must know exactly which part of DORA compliance they own. Roles and duties should be documented so there’s no ambiguity.
• Structured communication: Regular meetings between Risk & Compliance, IT, Contract Management, and Procurement can help spot and solve issues early.
• Real-time access to shared data: All teams must be able to access the same, up-to-date vendor and risk information. That calls for a centralized, standardized, and automated reporting structure.

DORA as a catalyst for integrated collaboration

DORA isn’t just an obligation—it’s an opportunity to improve the way teams work together. By forcing departments to look beyond their own scope, DORA encourages an integrated, end-to-end approach to digital resilience.

Organizations that invest in structured, cross-functional collaboration won’t just meet the requirements—they’ll also build a more resilient, future-proof foundation.

In the third and final blog in this series, we’ll explore the most common challenges companies face when trying to manage contracts in line with DORA—and how to overcome them.