How managed services can bring peace of mind to DORA third-party risk management

Your business is only as resilient as the weakest link in its ICT supply chain.

According to the PwC Digital Trust Insights 2025 surveyOpens in a new window, third-party breaches rank among the top three cyber threats that Financial Services institutions are most concerned about.  Additionally, the survey highlights that one in three organisations feel unprepared to handle a third party incident that could impact core business operations.

Third-party risk management has been included as one of DORA’s core pillars alongside ICT risk management, incident reporting and digital operational resilience testing. The provisions also form part of the delayed regulatory technical standards on sub-outsourcing. With the January 2025 go-live date approaching fast, FS organisations are discovering the challenges associated with this third-party pillar.

The first hurdle is reviewing and updating what could be many hundreds of supplier contracts. Contractual Agreements with ICT third-party service providers should meet the DORA compliance demands and incorporate relevant clauses (such as the right to audit) to enable the enforced monitoring processes on third parties starting from 2025.

To give an indication of the potential scale of the task and the time involved in the DORA-driven contract updates, a mid to large size FS organisation would typically have at least 500 ICT contracts in place. It would usually take at least two to three hours to review a contract, identify amendments that might be required and tailor the changes to the DORA demands. In turn, contract negotiation with each supplier would take between three and five hours in a best case scenario, but possibly significantly more if parties have significant differences. So at the very least, DORA contract review and amendment would add 2,500 hours to the workload of already hard-pressed legal teams, though quite conceivably 4,000 or more. In the case of a more mature standard these numbers could be much higher because most organisations have a mixture of arrangement complexity levels . Some institutions will seek to avoid the initial review time and send out blanket amendments addressing all DORA requirements, but this will be likely to provoke more pushback and so extend the negotiation time. 

Moreover, while legal teams play a crucial role in this process, it’s important to adopt a multidisciplinary approach. Collaborating with operational, compliance, cybersecurity and technology specialists can help establish that the contracts not only meet legal requirements, but also align with practical, operational needs. This approach can mitigate the risk of missing important clauses and enhance third-party resilience. 

What’s needed to make this process manageable and potentially beneficial is a blend of specialist legal and operational expertise, underpinned by technology that can accelerate and scale up contract review and negotiation. The whole program should be built on a risk-based contract renegotiation strategy, combining a strong focus on most critical third parties and measures to mitigate broader third party risks exposure. 

Getting over the compliance line in areas such as contract amendment is just the starting point. DORA also means you’ll need to carry out due diligence over ICT suppliers’ ability to sustain resilience. You'll also need to continually monitor third-party risks by understanding their tangible ICT risks, identifying the right indicators and measures to govern them, and intervening when necessary.

The first big question is whether you have the in-house resources – technology as well as talent – to deal with the increased workload? And will your people’s time be best used in these tasks? The underlying consideration is trust – do you have confidence that your suppliers understand what DORA requires and how to meet the demands? Are you looking at the continuous evolution of cyber threats and turning them into third party dedicated controls?

The answer is often no, especially among fintechs and other smaller contractors, who may lack the expertise and dedicated compliance teams to manage complex FS regulatory demands like DORA. They’re going to need advice and support as well as monitoring.

We’ve been advising a range of FS clients and ICT Providers on how to comply with DORA. What comes through strongly from this work are the challenges many clients face in assembling the necessary capabilities. Many are also finding it difficult to build trust in operations that they don’t directly control.

When it comes to addressing these client challenges, we realised that our managed services could provide an important part of the answer - particularly in terms of expertise, capacity and reach. We don’t just design solutions, we can also help take care of the practical demands of DORA, including contract repapering and day-to-day risk monitoring. 

Our support goes beyond simply bridging capability gaps. By bringing together legal, operational, cybersecurity and FS industry expertise, we can develop and deliver solutions that can bolster resilience and confidence, while being adaptable to the needs and expectations of suppliers. This is what we mean by focusing on the spirit rather than just the letter of DORA compliance. 

We can also anticipate the challenges that are likely to come up and how to address them, thanks to our wide-ranging and hands-on experience in this area. By working closely with both FS organisations and their contractors, we also know how to manage the nuances and complexities of niche areas such as technology contracts and software-as-a-service business models. To take care of the workload, we combine this with the advanced tech tools and dedicated centres of excellence in cyber, legal and Contract Lifecycle Management (CLM). 

We know that you need to work at pace, and with extreme precision, on a large scale. By collaborating with our tech alliance partners, we can deploy leading legal-tech artificial intelligence (AI) tools. In a recent example, we identified and updated the relevant terms ready for review, as well as approval across hundreds of supplier contracts, massively reducing the time needed for contract reviews. AI is not only used at the review stage to  determine the existence of specific risks or to identify the clauses that need to be added and changed. It can also be configured with specific parameters for what would be acceptable if contractors want to amend the updated terms. Using AI also has a big benefit for your teams. As well as saving time and cost, it means your legal teams – either in-house or from our legal managed services team – can focus their time on potentially contentious and contested areas of the contracts.

Our human-led, tech-powered approach means that we can offer due diligence services and risk monitoring at a greater capacity, with more consistency and wider reach. In a recent example, we deployed AI to help us develop a register of information from suppliers on an ongoing basis, tying this back to the updated contracts. We then sent the information packs to suppliers to see whether they had any issues with the data being asked for, before working with them to resolve concerns. Once agreed, those packs can be used as a basis for regular risk monitoring.

Finally, we can bring you greater flexibility, customising managed services to your needs. You get support for as long as you need it, with no fixed term contracts. For example, many clients have come to us for help in setting up their compliance programme and running it during the initial period. This leaves them free to choose whether to take the programme in-house at a later stage, or keep the managed service support in place over time.

Our goal is to turn DORA into a positive impact on your business. With the right support, you can not only comply with confidence, but also use it as an opportunity to become more resilient and improve the oversight you have across your third-party suppliers. 

For those who missed our first article, we explored how PwC's cyber managed services can enhance your DORA resilience journey. Check it out to see how our solutions can help you navigate DORA compliance complexities. 

To learn more about our legal and cyber managed services and how they can assist you in meeting DORA's demands, please get in touch.