Navigating DORA: The Rising Compliance Challenges for Tax Teams and IT Partners

Tax teams and the IT professionals they rely on must remain vigilant as compliance requirements continue to increase, warns Richard Sampson, chief revenue officer at Tax Systems. These teams depend on an expanding array of technology solutions to facilitate data storage, real-time reporting, and regulatory compliance while also ensuring robust cybersecurity measures against cybercriminals. With cyber threats escalating significantly in 2024 and expected to grow further in 2025, cyber resilience remains a top priority across the financial sector.

This heightened focus on cybersecurity is one of the primary reasons the EU has introduced the Digital Operational Resilience Act (DORA). This regulation mandates that financial organizations, including tax specialists, establish and maintain strong cybersecurity programs. DORA’s main objective is to enhance the digital resilience of financial firms and their third-party IT providers, which means any service providers working with DORA-regulated entities will be subject to increased scrutiny. Furthermore, the regulation requires financial institutions to share cybersecurity threats and vulnerabilities to strengthen collective defense measures.

For UK-based businesses, a similar approach is anticipated, much like the implementation of GDPR, where the UK government introduced an equivalent framework. While the UK has not yet established its own version of DORA, it was mentioned in the King’s Speech last year, indicating that such legislation is likely forthcoming. In the meantime, UK IT suppliers that support financial entities operating within the EU would be wise to align with DORA’s requirements regardless, given the potential impact of this regulation. Compliance with DORA may not only determine success in securing new business but could also influence the retention of existing clients. Companies found in breach of DORA face severe consequences, with fines amounting to 2% of their total global revenue.

Additionally, DORA introduces a specific category for ‘critical third-party providers’—companies deemed essential to the operations of numerous financial institutions or those that support systemic functions. These providers are now subject to oversight and inspections by European Supervisory Authorities, which also have the power to impose fines for non-compliance.

Understanding the operational impact of DORA, financial institutions and their IT suppliers must take strategic action to ensure compliance. The regulation establishes specific criteria for contracts between financial firms and IT vendors, designating certain IT services as ‘critical or important.’ Under DORA, functions classified as ‘critical or important’ are those whose disruption would significantly harm a company’s financial performance, such as payment processing and transaction management. Organizations must identify these key services to determine the applicable contractual obligations.

IT partners must also perform risk assessments, implement mitigation procedures, and demonstrate resilience in the face of potential threats. They are required to actively monitor, manage, and report incidents, leveraging automated reporting solutions whenever possible. Regular resilience testing is another essential component, including continuity planning and scenario-based evaluations. Comprehensive documentation of these resilience efforts must be maintained alongside detailed mitigation strategies to prepare for potential disruptions.

The regulation also sets forth strict requirements for contracts between financial institutions and IT vendors. Financial entities must draft agreements that align with DORA’s detailed provisions, while IT partners must update their master service agreements to reflect compliance with the regulation. These contracts must include clear provisions for responding to audits and ensuring accountability.

Another key requirement under DORA is the creation of an information register that records all IT partner contracts and relationships within a financial institution. This register must also account for subcontractors utilized by IT partners, ensuring that all relevant parties adhere to DORA’s regulatory framework where applicable.

For IT suppliers supporting financial institutions, compliance with DORA necessitates increased vigilance, particularly in identifying vulnerabilities. Implementing automated solutions that enhance the frequency of vulnerability scanning, paired with a comprehensive reporting platform featuring key performance indicators, will be crucial in demonstrating ongoing compliance. Equally important is the introduction of DORA-specific employee training to ensure that compliance measures are both robust and well-integrated within the organization.

The demands imposed by DORA will require considerable investment in terms of time, money, and resources. This will create additional financial pressure on both financial institutions and IT partners as they strive to meet these heightened security and compliance requirements. Organizations must seek ways to balance higher service levels with operational efficiency while managing costs effectively. However, one fact remains clear—while achieving DORA compliance comes at a cost, the penalties and reputational damage resulting from non-compliance could be significantly more severe.

Ultimately, DORA establishes a broad framework of responsibilities that IT partners must prioritize if they have not done so already. Failure to act could jeopardize both their own operational resilience and that of their financial clients, leaving them vulnerable to severe enforcement penalties and reputational risks.

By fLEXI tEAM