The EU Digital Operational Resilience Act (DORA), which takes effect from 17 January 2025, not only requires financial entities to take action to secure their own operational and cyber resilience and that of their third-party ICT service providers, but Article 6(1)(f) of the supplementing Commission Delegated Regulation (EU) 2024/1773 requires that the due diligence exercise also includes measures to assess whether each provider “acts in an ethical and socially responsible manner, respects human rights and children’s rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions”.

While an assessment is required to be conducted prior to contracting a provider, financial entities are not prohibited by the Regulations from engaging third party ICT service providers that do not perform strongly.

What is required by Article 6(1)(f) Commission Delegated Regulation (EU) 2024/1773?

In conducting their assessments under Article 6(1)(f) Commission Delegated Regulation (EU) 2024/1773, having regard in particular to the provisions of the European Charter on Fundamental Rights, the European Convention on Human Rights, the International Labour Organization Conventions and Declarations, the UN Guiding Principles on Business and Human Rights, and the EU Corporate Sustainability Due Diligence Directive, financial entities should be considering matters including:

• modern slavery;

• child labour; 

• data protection and privacy;

• collective bargaining and union membership;

• equality and erasure of unlawful discrimination;

• sanctions;

• net zero;

• whistleblowing.

In order to carry out such assessments, financial entities should consider implementing questionnaires for third party ICT service providers to consider, comprising questions requiring both binary and narrative responses, either directly or through a third party due diligence service. It is reasonable to expect that larger companies will have more sophisticated policies, procedures, processes and targets than smaller companies. At least in respect of larger companies and/or higher risk contracts, consideration should be  given to requesting copies of relevant policies and procedures, and for any updates to be provided throughout the term of the contract. 

To support financial entities in conducting their assessments, Handley Gill’s specialist ESG and human rights consultants have prepared a free Helping Hand ethical, social and human rights due diligence checklist of questions financial entities could consider posing to their third party ICT service providers. While this checklist is intended to support compliance with DORA due diligence obligations, it may have general applicability to organisations wishing to assess their own and their supply chain’s compliance with ethical and social responsibilities, including human rights, environmental and sustainability and, employment/labour law obligations. 

Find out more about our ESG and human rights services.