Foreword
This DORA Compliance Checklist serves as a high-level guide on what to address to help AIMA investment manager members in the EU comply with and finalise preparations for the application of the EU’s Digital Operational Resilience Act (“DORA”), which is due to take effect across all EU member states from 17 January 2025. DORA aims to strengthen the digital operational resilience of the financial sector in a context of deep digital business transformation and an increased exposure to information and communications technology (ICT) and cyber risks.
DORA’s scope is very broad and covers nearly all firms in the EU financial sector, including managers of alternative investment funds (“AIFMs”), UCITS management companies (“UCITS ManCos”) and MiFID investment firms. Certain outsourced ICT third-party service providers and intra-group service providers are also in scope.
According to Article 3(44) of DORA, AIFMs as defined in Article 4(1)(b) of the AIFMD are in scope. Article 4(1)(b) of the AIFMD defines “AIFM” to mean “legal persons whose regular business is managing one or more AIFs.” On this definition any fund manager anywhere in the world is in scope. The unrefined reference to Article 4(1)(b) has been used in other EU regulations and the interpretations of scope as a result have varied.
Non-EU parent companies of EU financial services firms that provide ICT infrastructure or services will be considered a “third-party service provider” and will be impacted by the third-party risk management requirements. It is not yet entirely clear what proportionality will be applied with DORA as regards group structures.
It should be noted that there are a number of exemptions within DORA for certain firms, including sub-threshold AIFMs, ‘microenterprises’, as well as ‘small and non-interconnected investment firms’. For example, there is a simplified ICT risk management framework for ‘small and non-interconnected investment firms’. In addition, the regulation allows for a proportionate application of requirements for firms taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
DORA’s scope is very broad and covers nearly all firms in the EU financial sector, including managers of alternative investment funds (“AIFMs”), UCITS management companies (“UCITS ManCos”) and MiFID investment firms. Certain outsourced ICT third-party service providers and intra-group service providers are also in scope.
According to Article 3(44) of DORA, AIFMs as defined in Article 4(1)(b) of the AIFMD are in scope. Article 4(1)(b) of the AIFMD defines “AIFM” to mean “legal persons whose regular business is managing one or more AIFs.” On this definition any fund manager anywhere in the world is in scope. The unrefined reference to Article 4(1)(b) has been used in other EU regulations and the interpretations of scope as a result have varied.
Non-EU parent companies of EU financial services firms that provide ICT infrastructure or services will be considered a “third-party service provider” and will be impacted by the third-party risk management requirements. It is not yet entirely clear what proportionality will be applied with DORA as regards group structures.
It should be noted that there are a number of exemptions within DORA for certain firms, including sub-threshold AIFMs, ‘microenterprises’, as well as ‘small and non-interconnected investment firms’. For example, there is a simplified ICT risk management framework for ‘small and non-interconnected investment firms’. In addition, the regulation allows for a proportionate application of requirements for firms taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
Table of Contents
- ICT Risk Management
- ICT-related Incident Management, Classification and Reporting
- Digital Operational Resilience Testing
- Managing ICT Third-Party Risk
- Information-sharing Arrangements
- ICT Risk Management Governance and Organisation
Download the Checklist
Members with a log-in should log-in here to be provided with a download link to the guide
For more information about the DORA Compliance Checklist for Investment Managers, contact James Delaney, Managing Director, Asset Management Regulation.