Donor IT Requirements
Currency notice
This page reflects the donor compliance landscape as of December 2025. The humanitarian funding environment underwent fundamental changes during 2025, including the dissolution of USAID and significant reductions to FCDO and UN agency budgets. Requirements for active donors are current; USAID content is retained for organisations managing legacy awards. Verify specific requirements with donor representatives before relying on this guidance.
Donor IT requirements are contractual obligations governing technology systems, data protection, and cybersecurity that organisations must implement when receiving institutional funding. These requirements derive from donor regulations, award terms, and information security frameworks. The compliance landscape shifted dramatically in 2025 when the United States dissolved USAID, the United Kingdom reduced aid spending to 0.3% of GNI, and UN agencies faced funding shortfalls exceeding 40% against identified needs. Organisations now navigate a contracted funding environment where remaining donors maintain rigorous compliance expectations despite reduced overall capacity.
This page addresses requirements from currently active donors: the UK Foreign, Commonwealth and Development Office (FCDO), European Union funding instruments, and UN agencies. Legacy USAID requirements appear in a separate section for organisations managing existing awards or historical compliance records.
- Award terms
- Binding conditions attached to a specific grant or contract that may supplement or modify standard donor regulations.
- Flow-down requirement
- An obligation that prime recipients must impose on subrecipients and subcontractors.
- Covered system
- An information system that stores, processes, or transmits donor-funded data or connects to donor systems.
- Legacy award
- A grant or contract issued before donor restructuring that remains active under original terms until completion or termination.
Current funding landscape
The 2025 restructuring fundamentally altered institutional humanitarian funding. Understanding this context informs compliance strategy and resource allocation.
+------------------------------------------------------------------+| DONOR FUNDING CHANGES: 2024-2025 |+------------------------------------------------------------------+| || USAID (United States) || +------------------------------------------------------------+ || | Status: DISSOLVED (July 2025) | || | Reduction: 86% of programmes terminated | || | Remaining: ~900 programmes under State Department | || | New awards: None | || +------------------------------------------------------------+ || || FCDO (United Kingdom) || +------------------------------------------------------------+ || | Status: OPERATIONAL (reduced capacity) | || | Reduction: 0.5% to 0.3% GNI by 2027 (~40% cut) | || | Staff: 350+ voluntary exits in 2025 | || | New awards: Yes, with multi-year allocations planned | || +------------------------------------------------------------+ || || European Union || +------------------------------------------------------------+ || | Status: OPERATIONAL (stable) | || | Horizon Europe: EUR 93.5 billion (2021-2027) | || | Development: NDICI-Global Europe continues | || | New awards: Yes, regular call cycles | || +------------------------------------------------------------+ || || UN Agencies || +------------------------------------------------------------+ || | Status: OPERATIONAL (severe funding crisis) | || | UNHCR: 30% staff reduction; 3,500 positions eliminated | || | WFP: 30% workforce reduction anticipated | || | Funding gap: 40%+ shortfall against 2025 needs | || | New partnerships: Yes, through UN Partner Portal | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+The concentration of funding among fewer donors increases the compliance burden for each remaining relationship. Organisations previously managing diverse donor portfolios now face heightened dependence on EU and UN mechanisms, where compliance failures carry greater consequence.
FCDO requirements
Section current as of December 2025. FCDO continues active programming with reduced budget.
The UK Foreign, Commonwealth and Development Office applies IT requirements through Standard Grant Conditions, Accountable Grant Arrangements, and the Supplier Code of Conduct. Despite budget reductions, compliance requirements remain unchanged; the reduced funding available increases scrutiny on organisations receiving awards.
Security certification
FCDO mandates Cyber Essentials certification for contracts above specified thresholds. This requirement has not changed despite budget reductions.
| Contract value | Certification required | Renewal |
|---|---|---|
| Under £25,000 | None mandated | N/A |
| £25,000 to £100,000 | Cyber Essentials | Annual |
| Over £100,000 | Cyber Essentials Plus | Annual |
Cyber Essentials certification must be current at award signature and maintained throughout the contract period. Lapsed certification constitutes a compliance breach. The certification covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Cyber Essentials Plus adds independent verification through vulnerability testing.
Organisations should budget 4-6 weeks for initial certification and schedule renewal 8 weeks before expiry to avoid gaps. Certification costs range from £300-500 for Cyber Essentials to £1,500-5,000 for Cyber Essentials Plus depending on organisation size and assessor.
Data protection obligations
FCDO requires compliance with UK GDPR and the Data Protection Act 2018. For programmes involving beneficiary data, FCDO typically acts as controller or joint controller, creating specific obligations for implementing partners.
| Obligation | FCDO expectation | Evidence required |
|---|---|---|
| ICO registration | Current registration matching actual processing activities | Registration certificate |
| Lawful basis | Documented basis for each processing activity | Processing records; LIA where using legitimate interests |
| Privacy notices | Information provided to data subjects in accessible format and local language | Sample notices; translation records |
| International transfers | Appropriate safeguards for transfers outside UK adequacy area | SCCs, TIA documentation, or other transfer mechanism |
| DPIA | Completed for high-risk processing; shared with FCDO on request | DPIA documents |
| Subject access | Response capability within one month | Procedure documentation |
| Breach notification | Report breaches affecting FCDO data within 24 hours | Incident response procedure |
The 24-hour breach notification window is shorter than the 72-hour UK GDPR requirement to supervisory authorities. FCDO expects notification to its programme manager and central security team before or concurrent with ICO notification.
Incident reporting
FCDO requires security incident notification within 24 hours of discovery for any incident affecting FCDO data or systems. The notification must include:
- Nature and scope of the incident
- Data categories and approximate number of individuals affected
- Actions taken to contain and remediate
- Risk assessment for affected individuals
- Proposed notification to affected individuals (if applicable)
Maintain an incident log throughout the award period. FCDO auditors review incident records to verify both occurrence reporting and response adequacy.
Cloud and hosting
FCDO prefers UK or EU data centres for programme data. Non-UK/EU hosting requires documented justification and safeguards.
| Hosting scenario | FCDO position | Documentation required |
|---|---|---|
| UK data centres | Preferred | Standard DPA with provider |
| EU data centres | Acceptable | Standard DPA; note adequacy status |
| Non-UK/EU (adequate country) | Acceptable with justification | Adequacy basis; DPA |
| Non-UK/EU (no adequacy) | Requires approval | SCCs; Transfer Impact Assessment; business justification |
| US-headquartered provider (data in UK/EU) | Review required | Assessment of CLOUD Act exposure; risk acceptance |
For sensitive programme data, particularly protection or safeguarding information, FCDO may require UK-only hosting regardless of provider headquarters.
Audit and documentation
FCDO retains audit rights throughout the grant period and for six years following final payment. Required documentation:
- Information security policy (current, approved by appropriate authority)
- Cyber Essentials certificate (where thresholds apply)
- ICO registration certificate
- Data Protection Impact Assessments (for high-risk processing)
- Article 30 processing records
- Incident log and breach records
- Supplier security assessments
- Training records for staff handling FCDO data
Annual audited accounts are required for grants over £100,000.
European Union requirements
Section current as of December 2025. EU funding instruments continue normal operations.
EU funding applies requirements through the Financial Regulation, programme-specific rules (Horizon Europe, NDICI-Global Europe), and GDPR. The EU represents the most stable major donor funding source following 2025 disruptions.
GDPR compliance
All EU-funded activities involving personal data must comply with the General Data Protection Regulation. Where EU institutions act as controllers, the EU Data Protection Regulation (EUDPR) applies in parallel.
| Requirement | Implementation |
|---|---|
| Legal basis | Document lawful basis for each processing activity; typically public interest (Article 6(1)(e)) or contract performance (Article 6(1)(b)) for programme activities |
| Transparency | Privacy notices in all relevant languages; accessible formats; provided before or at collection |
| Data minimisation | Collect only data necessary for stated programme objectives; justify each data element |
| Storage limitation | Define retention periods at project outset; delete or anonymise when no longer necessary |
| International transfers | Standard Contractual Clauses required for transfers outside EEA adequacy; Transfer Impact Assessment required post-Schrems II |
| Processor agreements | Article 28 compliant Data Processing Agreements with all processors |
The EU takes a stricter position on international transfers than some other donors. Transfers to the United States require SCCs plus a Transfer Impact Assessment documenting supplementary measures. The invalidation of Privacy Shield continues to affect EU-US data flows.
Horizon Europe specific requirements
Horizon Europe grants impose additional requirements for research projects:
| Requirement | Detail | Timing |
|---|---|---|
| Data Management Plan | Required for all projects generating research data | Initial version at grant signature; updated throughout |
| Open access | Research data FAIR-compliant; open access default within 6 months of publication | Throughout and post-project |
| Ethics review | Required for projects involving human participants, personal data, dual-use, or sensitive areas | Pre-award and during implementation |
| Beneficiary registration | All consortium members registered in Participant Register with validated legal status | Pre-submission |
| Electronic exchange | All official communication through EU Funding & Tenders Portal | Throughout |
Horizon Europe Work Programme 2026-2027 introduces additional emphasis on security-sensitive research review. Projects involving technologies with potential dual-use applications face enhanced scrutiny.
System security requirements
EU grants require security measures proportionate to risk. No specific certification is mandated, but technical measures must be documented and auditable.
| System category | Required controls |
|---|---|
| Standard programme systems | Access control with unique user IDs; regular backups (minimum weekly); current malware protection; patch management (critical patches within 30 days) |
| Systems processing personal data | All standard controls plus: encryption at rest and in transit; access logging with 12-month retention; breach detection capability; documented incident response |
| Security-sensitive systems | Additional controls per Security Aspects Letter; may require facility clearance; national security authority coordination |
Financial and audit requirements
EU grants carry comprehensive audit rights extending to all project documentation.
| Audit type | Trigger | Typical scope |
|---|---|---|
| Project audit | Risk-based selection; typically 5-15% of projects | Expenditure verification; deliverable quality; compliance with grant terms |
| System audit | Risk indicators; complaints; prior findings | Internal controls; IT systems supporting financial reporting; procurement |
| OLAF investigation | Fraud indicators; whistleblower reports | Comprehensive; may include forensic data examination |
| Court of Auditors | Random selection for annual report | Full compliance review; may examine multiple projects |
Documentation retention: five years following final payment, extended if audits are pending. For Horizon Europe, this period begins from the final payment date, not project completion.
UN agency requirements
Section current as of December 2025. UN agencies operational but facing severe funding constraints.
UN agencies apply requirements through agency-specific policies, the UN Data Protection and Privacy Principles, and partnership agreements. The UN Partner Portal (UNPP) serves as the common registration platform for UNHCR, WFP, UNICEF, OCHA, and other participating agencies.
Partnership registration
Since 2023, WFP requires all NGO partnerships to flow through the UN Partner Portal. UNHCR and UNICEF use the same platform. Registration involves:
- Organisation profile creation with legal documentation
- Verification of registration status and governance
- Capacity assessment (due diligence)
- Acceptance of common partner terms
Registration in UNPP makes organisations visible to all participating UN agencies. Calls for proposals issue through the portal, and applications submit through the same system.
UNHCR requirements
UNHCR applies specific requirements for partners handling refugee and protection data:
| Requirement | Detail |
|---|---|
| Data Protection Policy alignment | Partners must demonstrate alignment with UNHCR’s seven data protection principles |
| Registration data ownership | UNHCR retains ownership of all registration data collected on its behalf; partner access is licensed, not transferred |
| ProGres access | Named user access only; activity logging; annual recertification; immediate revocation on personnel departure |
| Biometric data | BIMS procedures apply; UNHCR-controlled storage; specific consent requirements beyond standard registration |
| Protection data | Enhanced safeguards; need-to-know access strictly enforced; additional encryption requirements |
| Data sharing | UNHCR prior written approval required before sharing registration or protection data with any third party |
| Incident reporting | Report data incidents affecting refugee data within 24 hours to UNHCR Data Protection Officer |
UNHCR’s 2025 budget constraints have not reduced data protection requirements. If anything, reduced operational capacity increases emphasis on partner compliance as a risk mitigation measure.
WFP requirements
WFP requirements focus on beneficiary data and programme systems:
| Requirement | Detail |
|---|---|
| SCOPE data | WFP retains ownership of all SCOPE beneficiary registration data; partner access controlled through WFP permissions |
| Mobile data collection | Authorised platforms only (typically KoboToolbox, ODK, or WFP-approved alternatives); end-to-end encryption required |
| Transfer data | Financial service provider data handling must meet PCI-DSS alignment; transaction data retention requirements |
| Personal data | WFP Data Protection Policy compliance; lawful processing basis documented in Field Level Agreement |
| Access control | Role-based access; quarterly recertification; immediate revocation procedures |
| Partner systems | Must meet minimum security baseline documented in FLA annex |
The Field Level Agreement (FLA) is the primary contractual instrument. Security and data protection requirements appear in FLA annexes and must be accepted before partnership activation.
UNICEF requirements
UNICEF applies heightened requirements for data identifying children:
| Requirement | Detail |
|---|---|
| Child data protection | Enhanced protections beyond standard personal data; additional safeguards for sensitive categories (health, protection status, family circumstances) |
| VISION access | Named user access; activity logging; annual recertification |
| eTools | Programme monitoring through eTools platform; role-based permissions |
| Image and identity | Explicit consent required for photographs and identifying information; specific consent for external use |
| Incident reporting | Report incidents affecting child data within 24 hours to UNICEF Data Protection Focal Point |
Cluster coordination requirements
Organisations participating in humanitarian coordination must meet interoperability requirements:
| Standard | Application |
|---|---|
| HXL (Humanitarian Exchange Language) | Required tags for datasets shared through coordination mechanisms |
| 3W/4W/5W reporting | Standardised activity reporting format (Who, What, Where, When, for Whom) |
| HDX contributions | Humanitarian Data Exchange sharing where data classification permits |
| COD alignment | Common Operational Dataset usage for geographic reference data |
| Assessment registry | Registration of assessments in coordination mechanisms |
These requirements facilitate coordination across agencies and partners. Non-compliance limits participation in cluster mechanisms and may affect future partnership opportunities.
Cross-donor harmonisation
Organisations holding awards from multiple donors must navigate overlapping requirements. Harmonising to the strictest common standard reduces compliance overhead.
Incident reporting timeline
| Donor | Required window | Harmonised approach |
|---|---|---|
| FCDO | 24 hours | Internal escalation: 4 hours |
| EU | 72 hours (GDPR) | Initial assessment: 12 hours |
| UNHCR | 24 hours | Donor notification: 24 hours |
| WFP | 24 hours | (Meets all requirements) |
| UNICEF | 24 hours |
Implementing a 24-hour notification capability satisfies all current donor requirements. The internal escalation at 4 hours ensures adequate time for assessment before donor notification.
Security baseline
+------------------------------------------------------------------+| HARMONISED SECURITY BASELINE |+------------------------------------------------------------------+| || CERTIFICATION || +------------------------------------------------------------+ || | Cyber Essentials Plus | || | - Satisfies FCDO mandatory requirement | || | - Provides evidence for EU/UN compliance narratives | || | - Covers five core control areas | || | - Annual renewal required | || +------------------------------------------------------------+ || || DATA PROTECTION || +------------------------------------------------------------+ || | GDPR as baseline framework | || | - Strictest common requirement | || | - Satisfies UK GDPR and EU GDPR | || | - Aligns with UN Data Protection Principles | || | - Document lawful basis per processing activity | || +------------------------------------------------------------+ || || DATA HOSTING || +------------------------------------------------------------+ || | EU data centres (UK-adequate) | || | - Satisfies FCDO preference | || | - No transfer mechanism needed for EU | || | - Avoids CLOUD Act exposure concerns | || | - Standard Contractual Clauses for non-EU transfers | || +------------------------------------------------------------+ || || INCIDENT RESPONSE || +------------------------------------------------------------+ || | 24-hour notification capability | || | - Internal escalation: 4 hours | || | - Assessment complete: 12 hours | || | - Donor notification: 24 hours | || | - Regulatory notification: 72 hours (where required) | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Documentation matrix
Maintaining a single documentation set that satisfies multiple donors reduces duplication:
| Document | FCDO | EU | UN agencies |
|---|---|---|---|
| Information security policy | Required | Required | Required |
| Risk assessment | Recommended | Required (proportionate) | Required |
| Data Protection Impact Assessment | Required (high-risk) | Required (high-risk) | Required (UNHCR protection data) |
| Processing records (Article 30) | Required | Required | Aligned with policy |
| Incident log | Required | Required | Required |
| Training records | Required | Required | Required |
| Vendor assessments | Required | Required | Required |
| Cyber Essentials certificate | Required (thresholds) | Evidence for narrative | Evidence for narrative |
Legacy USAID requirements
Historical reference
USAID was dissolved in July 2025 with 86% of programmes terminated. This section applies only to organisations managing awards issued before dissolution that remain active under legacy terms, or maintaining historical compliance records. No new USAID awards are being issued.
Organisations with legacy USAID awards continue under original terms until award completion or termination. The State Department manages remaining programmes (approximately 900 of the original 6,200+).
Continuing obligations for legacy awards
Awards issued under USAID regulations remain bound by:
- ADS 545 cybersecurity requirements: Written security policy; risk assessment for awards over $500,000; incident reporting within 72 hours
- FAR 52.204-21 (contracts only): Fifteen security controls derived from NIST SP 800-171
- 2 CFR 200 Subpart F: Single Audit requirements for organisations expending $750,000+ in federal funds
- Privacy Act compliance: For data shared with USG systems
Contact for legacy awards
Legacy award management transferred to the State Department. Contact the Agreement Officer or Contracting Officer listed in original award documents. Response times have lengthened significantly due to reduced staffing.
Records retention
Maintain all compliance documentation for legacy awards per original terms, typically 3-7 years following award closeout. Single Audit records follow federal retention requirements regardless of USAID dissolution.
Audit preparation
Despite funding reductions, audit activity continues. Prepare evidence packages addressing common examination areas:
| Audit area | Evidence package contents |
|---|---|
| Access control | Policy excerpt; access request samples with approvals; access review evidence (quarterly minimum); termination samples showing timely revocation; privileged access inventory with justification |
| Incident management | Policy excerpt; incident log covering audit period; 3-5 sample incident records showing full lifecycle; lessons learned documentation; evidence of 24-hour notification capability |
| Data protection | Registration certificates; privacy notices (multiple languages where applicable); DPIA samples; consent mechanisms with evidence of deployment; data flow documentation |
| Change management | Policy excerpt; change log for audit period; sample approvals for normal and emergency changes; evidence of testing before production deployment |
| Business continuity | BCP/DRP documents; test results from past 12 months; recovery time evidence from tests or actual incidents |
| Third-party management | Vendor inventory; assessment samples; contract excerpts showing security terms; evidence of ongoing monitoring |
Auditors increasingly examine evidence of actual implementation rather than policy documentation alone. Access logs, incident records, and change approvals demonstrate operational compliance.
Donor diversification
The 2025 funding contraction highlights concentration risk in donor portfolios. Organisations previously dependent on USAID face existential challenges; those with diversified funding demonstrate greater resilience.
Consider expanding donor relationships to include:
- European bilateral donors: Germany (BMZ), France (AFD), Netherlands, Nordic countries
- Private foundations: Gates Foundation, Wellcome Trust, Open Society Foundations
- Development finance institutions: CDC Group, FMO, IFC
- Regional development banks: African Development Bank, Asian Development Bank, Inter-American Development Bank
- Corporate partnerships: Technology companies, pharmaceutical companies, financial services
Each new donor relationship introduces compliance requirements. Evaluate the compliance burden against funding value before pursuing new relationships. Smaller grants with complex compliance requirements may consume more resources than they provide.
Requirement monitoring
Donor requirements evolve through regulatory updates, policy revisions, and lessons learned. Monitor changes through:
| Donor | Primary sources |
|---|---|
| FCDO | GOV.UK updates; Supplier Code revisions; Programme team communications |
| EU | EUR-Lex; Funding & Tenders Portal; programme newsletters |
| UN agencies | Agency policy portals; UN Partner Portal announcements; cluster coordination updates |
Award modifications may introduce new requirements during the grant period. Review all modifications for IT and data protection implications before countersigning.