The aim of the Digital Operational Resilience Act (“DORA”) is to ensure uniform requirements for the security of network and information systems. DORA is part of the EU’s Digital Finance Package (“DFP”). The DFP looks to develop a harmonized European approach to digital finance.
With the DFP in mind, DORA is designed to ensure that financial institutions operating in the European Union, including alternative investment fund managers (“AIFMs”), can mitigate information and communication technology (“ICT”) risks and manage disruptions.
Operational provisions of the DORA take effect on 17 January 2025 and AIFMs therefore have less than a year to familiarise themselves with DORA compliance obligations and ensure they comply. AQMetrics is helping its AIFM customers understand what needs to be done and to prepare for the January 2025 effective date. This blog sets out the main steps AIFMs need to take over the next 12 months and simply sums up what AIFMs must do to comply with DORA.
Step 1: The DORA Management Body
The first thing AIFMs need to do is examine the Management Body. The Management Body is defined in Article 3(30) of DORA as those “empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity”. Ultimately responsibility for compliance with DORA lies with the Management Body.
Step 2: The ICT Risk Management Framework
The next thing AIFMs should turn their focus on is their ICT risk management framework. DORA mandates the establishment of a comprehensive and documented ICT risk management framework. Articles 9(1) and 10(1) of DORA are of particular importance in this regard. Under Article 9(1) AIFMs will need to adopt measures to “continuously monitor and control the security and functioning of ICT systems”. Further, AIFMs will need to “detect anomalous activities” from January 2025 onwards under Article 10(1).
Step 3: ICT Third-Party Service Providers
Thirdly, critical ICT third-party service providers have to be put under the spotlight. An AIFM should consider whether any of its ICT service providers are ‘critical’ per the DORA definition of critical ICT third-party service providers and document how this might impact the services received. Those critical service providers must also comply with DORA and therefore, due diligence by the AIFM of its critical ICT third-party service providers is a necessary step through 2024. Otherwise, an AIFM may find itself in 2025 in breach of DORA by electing to use a non-compliant service provider designated as (or opted-in to be) a critical ICT service provider.
Step 4: Incident Response and Reporting
The fourth step to be taken by AIFMs in 2024 is to review their approach to incident response and update the approach to include DORA breach notifications to National Competent Authorities (“NCAs”). Under Article 19 of DORA, major incidents will need to be notified to competent authorities “without delay” when the Fund becomes aware of them. In 2024 AIFMs will have to familiarize themselves with the specific and mandatory reporting templates that have to be used from January 2025 onwards. As a result, AIFMs should be allocating time in 2024 to assess their operational resilience and take the necessary steps required to ensure compliance. To this end, AIFMs need to be familiar with or consult with a third party on the first set of RTS and ITS, which are currently in draft, and will be submitted to the European Commission by 17 January 2024 for adoption. AQMetrics, winner of Best Solution for DORA at the 2023 RegTech Insight Awards Europe, understands the complexities of the DORA initiative and can answer any questions you may have on the best practice preparation steps that can be taken by AIFMs in 2024.
Get ahead of DORA. Contact us now to find out more.
Fill in the below form and a member of our team will be in touch.