There is less than five months until the EU’s Digital Operational Resilience Act (DORA) will be applied and it’s poised to significantly impact the landscape for regulated funds, warns Ocorian, the provider of fund, corporate, capital market, private client, and regulatory & compliance services.
DORA will impact the EU financial sector and its service providers, as well as companies and entities outside the EU that provide services or do business with any financial market participants within the EU.
Ocorian warned in the statement on 20 August that asset managers who haven’t started preparing for DORA to take action now or risk potential penalties of up to €100m or 5% of their company’s annual turnover from 17 January 2025.
The regulation, part of the Digital Finance Package, aims to harmonise cybersecurity, mitigate risks, and increase digital operational resilience standards across the financial sector within the EU. Fund managers must also ensure that their outsourced service providers adhere to DORA’s requirements.
DORA’s impact on regulated funds across five key areas will include:
1. Information, Communication, and Technology (ICT) risk management – identifying and assessing risks to ICT systems and infrastructure
2. Incident management – identifying, reporting, responding to and recovering from ICT-related incidents
3. Digital operational resilience testing – testing systems and processes every year to ensure they can withstand disruptions
4. ICT third-party risk management – hold a register of all third-party ICT service providers, with a special focus on critical suppliers
5. Information sharing – an option for financial entities to share information about cyber threats
Asset managers who rely on service providers for critical functions need to adapt their outsourcing practices to comply with DORA, said Ocorian.
Third-party vendors must also be DORA compliant, so asset managers must ensure vendors have proper risk management, conduct penetration testing and provide evidence to regulators. Contracts with service providers need to clearly outline DORA compliance expectations, including incident reporting, information sharing protocols, audit rights and exit strategies. Asset managers must continuously monitor their service providers’ adherence to DORA requirements.
Ocorian sets out below how to comply with DORA
• Identify a governance structure – DORA won’t require a complete overhaul of this framework so use the risk management framework you already have in place
• Leverage existing work – it's likely you already have a data asset registry to comply with GDPR, so use this data to meet DORA’s data asset inventory requirement
• Identify gaps – prioritise your effort by identifying gaps between your current practices and DORA’s requirements
• Existing certifications can help – an existing ISO certificate can demonstrate your organisation’s commitment to robust operational practices
• Don’t reinvent the wheel – you will already have a variety of tools in place for tasks like network monitoring and firewalls, so use these for DORA compliance as well
Sharon Hodder, head of business partnering – technology, at Ocorian said: “While it might seem daunting at first, DORA compliance is achievable for asset managers through a pragmatic approach that leverages existing practices. By focusing on existing governance structures, leveraging GDPR efforts and identifying targeted gaps, firms can ensure compliance without a complete overhaul of their current practices.”
Stuart Geddes, chief information officer, at Ocorian said: “The good news is that many fund administrators and service providers are ahead of the curve and already adhere to most aspects of DORA. Our regulatory and compliance experts – Bovill Newgate – are developing a new service to assist our clients and other institutions with achieving DORA compliance.”