22/05/2024
Briefing

The Digital Operational Resilience Act (“DORA“) applies to a wide range of financial entities and is focused on ensuring that these entities are able to respond effectively to unplanned information and communication technology (“ICT“) disruption, while minimising the impact on their business and customers.

In this briefing, we consider the impact of DORA for fund managers and outline the requirements under DORA to manage and mitigate ICT risk.

Does DORA apply to fund managers?

A wide range of financial entities are subject to DORA including AIFMs (excluding sub-threshold AIFMs) and UCITS management companies (referred to collectively as “ManCos“). 

Non-EU AIFMs that manage and/or market AIFs in the EU may also be in scope for DORA, subject to the proportionality principle described below. It is hoped that this may be clarified in a regulatory Q&A or other guidance.

DORA does not apply directly to funds that are externally-managed, however boards of directors of such funds (“Fund Boards“) should request confirmation from their appointed ManCos that they have taken the necessary steps to comply with the requirements of DORA.

What obligations will apply to ManCos under DORA?

ICT risk management framework    

DORA requires ManCos to adopt an ICT risk management framework that is sound, comprehensive and well-documented. This framework must include strategies, policies, procedures and tools to protect appropriately the ManCo’s ICT infrastructure. This framework must also be reviewed and audited by the ManCo on an ongoing basis and steps must be taken by the ManCo to identify sources of ICT risk on an ongoing basis. This review should be conducted at least annually in line with the ManCo’s annual review of its other policies and procedures. 

The European Supervisory Authorities (made up of the EBA, ESMA and EIOPA) have published detailed regulatory technical standards (“RTS“) identifying key elements of the policies and procedures required to support an ICT risk management framework available here. This includes business continuity, incident management and crisis management policies.  

For ManCos, ICT risk management will likely form part of their wider risk management framework.  

Incident management and reporting

DORA requires ManCos to have a comprehensive incident management framework in place for detecting and reporting incidents, including early warning indicators and processes for tracking and monitoring incidents. DORA also provides for new regulatory reporting obligations for “major” ICT incidents affecting ICT systems supporting critical or important functions.  
RTS (available here) set out the criteria for classifying an ICT incident as “major” which include primary criteria (i.e. the effect on clients and transactions) and secondary criteria (i.e. reputational impact and duration and service downtime).

Draft RTS (available here) specify that an initial report must be made to the competent authority (likely to be the Central Bank of Ireland but this is yet to be confirmed) no later than 24 hours from detection of the incident, an intermediate report must be filed within 72 hours, and a final report must be submitted within one month.  

Digital operational resilience testing

DORA requires ManCos to conduct annual testing of ICT systems supporting critical or important functions including performance testing and penetration testing. Those ManCos that carry a certain degree of systemic importance which are designated by the competent authority will also be required to conduct advanced threat-level penetration testing (“TLPT“) on live production systems on a three-year rolling basis.

Draft RTS (available here) set out the elements for TLPT which were developed in accordance with the TIBER-EU framework for threat intelligence-based ethical red-teaming.  

ICT third party risk management

DORA requires ManCos to manage risks relating to the provision of ICT services including by adopting a policy on the sub-contracting of critical or important ICT services, by including specific contractual provisions in all ICT service contracts (with additional obligations applying to ICT service contracts supporting critical or important functions) and by establishing a register of all ICT service contracts. There are draft RTS on the sub-contracting process (available here) and final RTS on the content of the third party ICT risk management policy (available here).  

Draft implementing technical standards also provide detail on the information required to enable ManCos put in place the third party ICT service contract register (available here). The European Supervisory Authorities are going to facilitate a voluntary dry-run for the collection of the third party ICT service contract registers starting in May 2024 in which they will provide support on formatting, data quality and processes for completing and issuing the registers. 

What is the timing of DORA?

DORA entered into force on 16 January 2023 and will apply from 17 January 2025. It will be supported by a series of RTS and implementing technical standards which provide further regulatory guidance and expectations on the requirements of DORA. Some of these technical standards are discussed above.

While certain of the RTS and implementing technical standards have yet to be finalised, it is anticipated that all such standards will be adopted by the European Commission ahead of the implementation of DORA on 17 January 2025.

Does DORA address proportionality?

Article 4 of DORA recognises that financial entities should implement the requirements of DORA “in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations”.

As a result, ManCos should apply the proportionality principle to determine the scope of their DORA compliance efforts.  For example, the proportionality principle supports the use and adjustment of existing policy documentation and processes to help achieve compliance with DORA (for example, by adapting existing information security and operational resilience policies and business continuity plans).  The proportionality principle also supports utilising existing contractual arrangements (for example, relying on existing critical or important outsourcing agreements that comply with the Central Bank’s Outsourcing Guidance) to help with ensuring that ICT contracts include the contractual provisions prescribed by DORA.  In particular, non-EU AIFMs may be able to rely on the proportionality principle to determine the manner in which they achieve compliance with the objectives of DORA.   

Next Steps

In practice, ManCos should focus on five main areas as part of their DORA compliance project:

1. Identification and mapping

The first step is to identify the ICT systems, networks and third party ICT service providers that need to be subject to appropriate protections and controls from an operational resilience perspective. Once these systems, networks and providers are identified it will be necessary to map them from end-to-end so as to ensure that there is a clear picture of the chain of activities, processes, people and technology that make up these activities in order to address any ICT vulnerabilities.

ICT services are broadly defined as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. For a ManCo, this will involve a review of both entity- and group-level ICT service arrangements, such as the licensing of any cloud-based software services or licensing of hardware, as well as any arrangements that involve the provision of data or digital services, such as access to an online platform or portal.

2. Documentation

DORA is prescriptive in relation to certain types of policies and procedures that financial entities are expected to maintain (for example, a digital operational resilience strategy, ICT incident management process, ICT testing procedures, third party ICT service provider policy, etc.). 

A ManCo’s existing policies and procedures should be reviewed and updated to ensure that these policies and procedures address the ManCo’s operational resilience strategy and comply with DORA and regulatory expectations.

The RTS on the ICT risk management framework will provide further guidance on this topic.

3. Third party ICT contracts

All contracts for ICT services will need to be identified, reviewed and potentially amended to align with the specific contractual requirements in DORA.

4. Technical measures and testing

IT and InfoSec teams will need to be engaged to ensure that appropriate technical measures are in place to protect a ManCo’s ICT infrastructure and that these measures are appropriately tested (for example, via penetration testing). These technical measures are the first line of defence when it comes to operational resilience and are arguably the most important element of assuring operational resilience in practice.

5. Governance

The content of reports and reporting lines to the ManCo’s designated persons and/or board of directors should also be reviewed to ensure that the board of directors (which is ultimately responsible for DORA compliance) has sufficient information to make decisions in relation to the operational resilience of the ManCo.

DORA also requires the allocation of responsibility for aspects of operational resilience to certain persons or functions within the organisation. Accordingly, we would expect that for an Irish ManCo the designated person with responsibility for operational risk management would be responsible for overseeing arrangements with third party ICT service providers.

For more information on this topic please contact your usual contact or any member of the Asset Management and Investment Funds Group.