Digital Operational Resilience Act: What it means for Alternative Investment Management Funds and Managers

By Hinal Patel; Rachel Mahoney; Claudia Chan, Simmons & Simmons

Published: 17 June 2024

The EU’s financial sector’s digital regulatory landscape has undergone a significant shift with the recent enactment of the Digital Operational Resilience Act (DORA) on 17 January 2024. Recognising the growing dependency on Information and Communication Technology (ICT) in delivering financial services and the inherent risks, DORA was born, with the aim of harmonising the regulatory requirements and standards related to the use of ICT across the EU.

This article outlines what DORA is, the key requirements and then considers its application to asset management and investment funds and the common queries we are receiving from these financial entities in relation to DORA.

What is DORA?

DORA is a European regulation that was established with the primary objective of bolstering the digital operational resilience of the European Union’s financial sector. It introduces uniform requirements for participants within the financial sector to prevent, respond to, and recover from disruptions. These requirements form part of a homogenous digital operational resilience strategy overseen by the EBA, EIOPA and ESMA – the European Supervisory Authorities (ESAs). ESAs are also responsible under DORA for developing regulatory technical standards (RTS), and implementing technical standards (ITS), which are used to further specify the practical and technical aspects of the regulation and ensure its uniform application across Member States. The first batch of final RTS’ and ITS’ were published on 17 January 2024. 

Key Requirements 

DORA is underpinned by six crucial pillars. We have set out the 6 pillars below and the key requirements of each.

(1)    ICT risk management: Financial entities are required to implement a comprehensive ICT risk management framework. This includes the creation of policies and procedures to identify, assess, manage, and monitor ICT-related risks, along with a strategy for digital operational resilience. Entities are also required to establish internal governance and controls for ICT risk management, with a dedicated control function overseeing this risk. They must document all information and ICT assets, ICT-supported business functions, and sources of ICT risk, conducting an annual review. Financial entities are obliged to maintain a comprehensive ICT business continuity policy, including response and recovery plans that are tested yearly, and implement policies and protocols for key aspects of ICT security. Finally, a crisis management function must be established, with clear procedures for managing crisis communications during the activation of ICT business continuity plans or ICT response and recovery plans.

(2)    Incident reporting: Financial entities are mandated to set up a management procedure to track and record incidents, categorise them according to defined criteria, and report all “major” incidents to their respective supervisory authority. In the event of a “major” incident, financial entities must provide an initial notification, an interim report on progress towards resolution, and a final report analysing the incident’s root causes. The competent authorities will provide supervisory feedback and guidance, and the potential for consolidating incident reporting at the EU level will be considered.

(3)    Testing: Financial entities, excluding microenterprises, must create, maintain, and review a robust digital operational resilience testing programme as a key part of the ICT risk-management framework. Financial entities must conduct appropriate tests on all ICT systems and applications that support critical or important functions at least annually. These evaluations should include appropriate tests such as gap analyses and vulnerability assessments. Larger entities are also required to perform threat-led penetration testing (TLPT) on critical or important functions. While many financial entities may already conduct regular resilience testing, adjustments may be needed to comply with DORA’s specific requirements.

(4)    ICT third-party risk management: Financial entities must manage ICT third-party risk as a crucial part of their ICT risk management framework. This involves having a strategy for managing third-party risk, including a policy on using third-party ICT services that support critical functions. Entities must maintain a register of contractual arrangements with third-party ICT service providers, distinguishing between services that support critical functions and those that do not, and report to regulators annually on new ICT service arrangements. Before engaging a third-party ICT service provider, entities must conduct due diligence on the provider and assess the contractual setup. Additionally, entities must have exit strategies in place to ensure business continuity, regulatory compliance, and client service in the event of contract termination. 

(5)    Information sharing: DORA encourages (but does not mandate) information sharing, particularly in relation to cyber threat intelligence to enhance a firm’s digital operational resilience. This exchange should take place within trusted communities via structured information-sharing arrangements. However, financial entities must notify the relevant supervisory authorities when such information is shared.

(6)    Governance - This establishes effective governance arrangement obligations comprised of board members and senior management and outlines their respective responsibilities in furthering the digital operational resilience framework established in the 5 prior pillars.

Why should hedge fund managers, alternative credit managers and funds of funds take note?

DORA applies to most financial entities including but not limited to managers of alternative investment funds, and UCITs management companies, along with certain critical third-party ICT service providers. The exemptions that do exist may allow certain entities to establish a simplified ICT risk management framework, if it is proportionate to do so taking into account their size, nature, scale and complexity of their services, activities and operations and overall risk profile.

Competent authorities will have supervisory, investigatory and sanctioning powers necessary to fulfil their duties under DORA. This includes the ability to impose financial penalties, such as administrative fines and remedial measures, on financial entities for failure to comply with DORA. They also have discretion whether to impose criminal penalties for breaches of DORA under their national law.

Therefore, it is crucial for the management bodies to understand how DORA impacts their entities, evaluate its implications, and adapt accordingly. 

Common queries we are seeing from hedge fund managers, alternative credit managers and funds or funds and our response 

Are they in scope?

As noted above, DORA applies to most financial entities within the financial sector. On its face, this looks to be straightforward as DORA gives a long list of financial entities that are in scope and defines what an in-scope entity is. However, this is not so straightforward when many of the definitions refer out to other EU legislation and have questionable outcomes. We have for example seen this play-out in the context of AIFMs. 

Does DORA apply extraterritorially in relation to financial entities and managers? 

At an entity level, the answer to this question is driven by how DORA defines the relevant financial entity or manager. We are seeing mixed views on whether financial entities or managers with no presence in the EU are in scope or not. 

However, note also that DORA’s reach can extend extraterritorially at an asset and service level e.g. in terms of a financial entity’s or manager’s ICT risk management framework. 

What’s the timeline for compliance? 

DORA will generally become applicable as of 17 January 2025 and financial entities will need to have the necessary processes and documentation in place by then. 

How can hedge fund managers, alternative credit managers and funds or funds prepare for DORA?

Hedge fund managers, alternative credit managers and funds or funds can prepare for DORA implementation by:

  1. Establish your perimeter: Identify which entities are in scope and what the key terms under DORA such as ‘critical or important function’ mean to you. 
  2. Conduct a gap analysis: Evaluate current governance, risk management and policies and standards against the requirements of DORA.
  3. Create a roadmap: Determine the necessary priorities and efforts to close the gaps identified in the gap analysis thus meeting DORA requirements.
  4. Remediate contracts: Identify which ICT third party contracts fall within the scope of DORA and need remediation. Prepare contractual addenda to those third-party contracts and conduct a project to remediate those agreements so that they are DORA-compliant. 
  5. Track regulatory updates: Look out for the new RTS’ in July this year and any further national competent authority guidance or requirements.

What is coming next?

On 8 December 2023, the ESAs initiated a public consultation on the second batch of technical standards under DORA. This batch comprises four sets of RTS’, one ITS and two sets of guidelines (GL). The content of the second batch of technical standards includes content, timelines and templates for ICT-related incident reporting; conditions for sub-contracting of ICT services supporting critical or important functions; and criteria used for identifying financial entities required to perform TLPT. 

The ESAs plan to submit the draft technical standards to the European Commission and publish the final guidelines by 17 July 2024.