Q: What is DORA?
“DORA” stands for the Digital Operational Resilience Act, an EU regulation that creates a new framework for the EU financial sector with regard to information and communications technology (ICT).
DORA is a part of the digital finance package, adopted by the European Commission on 24 September 2020.
This package includes a digital finance strategy and legislative proposals on crypto assets and digital resilience for a competitive EU financial sector that gives consumers access to innovative financial products while ensuring consumer protection and financial stability with an effective supervisory framework to tackle potential vulnerabilities. The package supports the European Union’s ambition for a recovery that embraces the digital transition. Digital financial services can help modernize the European economy across sectors and turn Europe into a global digital player.
Q: Who does DORA apply to?
DORA applies to financial entities and service providers such as fund managers, including authorised alternative investment fund managers (AIFMs) but not subthreshold AIFMs.
The scope of the regulation is very broad. DORA targets Luxembourg and other European entities engaged in the financial and insurance sectors, including, among others:
- Credit institutions
- Payment institutions, including payment institutions exempted pursuant to the revised Payment Services Directive
- Electronic money institutions, including electronic money institutions exempted pursuant to EMID
- Investment firms
- Crypto asset service providers as authorized and issuers asset-referenced tokens (under the Regulation (EU) 2023/1114 on markets in crypto-assets – MiCA)
- Managers of alternative investment funds
- Management companies in undertakings for the collective investment in transferable securities (UCITS)
- Insurance and reinsurance companies
- Third-party service providers of ICT
- Any Luxembourg branches of the aforementioned entities
Q: Who will enforce and check DORA compliance?
For Luxembourg entities, compliance may be assessed by the Commission de Surveillance du Secteur Financier (CSSF) or any other competent authority the CSSF might appoint to assist with specific technical requirements.
Q: Why does DORA matter now?
DORA entered into force on January 17, 2023, and will apply as of January 17, 2025. Now is the time for European fund managers who are affected by DORA to assess what it means for them and get ready.
Q: What does DORA cover?
DORA provides harmonized technical standards to ensure digital operational resilience by laying down uniform requirements for network security and information systems that which support the business of financial entities.
DORA is divided across five core pillars that address various aspects or domains within ICT and cybersecurity, providing a comprehensive digital resilience framework for relevant entities:
- ICT risk management
- ICT-related incident management, classification, and reporting
- Digital operational-resilience testing
- Management of ICT third-party risk
- Information-sharing arrangements
For fund managers, this means they must develop an internal governance and control framework for ICT risk management. Consequently, their board members have to define, approve, oversee, and assume responsibility for the implementation of all ICT risk management, which implies the identification and management procedures for ICT risks. This means board members are responsible for the strategies, policies, procedures, ICT protocols, and tools to manage such risks. And this, in turn, requires (i) reporting and disclosure requirements in case of incidents or new contracts with third-party ICT service providers and (ii) specific roles for new responsibilities within the fund manager and, at board level, the duty of the board to ensure that it is kept sufficiently informed and skilled to be able to understand and assess the ICT risk and its impact on operations (specialist board member, specialist training, etc.).
In addition, DORA lays out new key requirements for contractual provisions with ICT service providers and obligations for fund managers in case of breaches by the service providers.
In summary, fund managers will need:
- A written policy and risk assessments for risk management, including:
- A “digital resilience” strategy
- Why certain ICT functions are provided by third-party service providers
- Identifying all tasks, functions, and staff that make use of ICT tools, to be updated every year
- Changes to the network and information system used for business functions and information assets
- The approvals needed for changes in procedure and protocols
- Continuity plans, response, and recovery plans
- Communications strategy for both internal and external stakeholders and supervisory authorities
- To provide regular training for staff on how to assess ICT risks and ensure proper management
- To prepare for the CSSF to request any documentation on policies and risk assessments, as well as monitor and request changes to be made
- A role for monitoring new arrangements for ICT service providers (can be existing staff)
- A role to prevent conflicts of interest when identifying ICT risks (should be independent from other ICT functions)
- A role for internal auditing of ICT risks (should be independent from other ICT functions and can be outsourced)
- A role for crisis management
- A role for communications for public and media reporting
- A yearly assessment of existing ICT systems before connecting or adding new systems
- A written policy and process in case of ICT-related incidents:
- To record any ICT-related incidents
- To report major incidents to competent authorities
- To notify (voluntarily) of potential threats to the competent authority
- To notify clients/investors of potential threats
- To notify clients/investors in case of any incidents, and the measures taken to reduce impacts
- Yearly tests on all ICT systems for critical and important functions (to be conducted by an independent party)
- To conduct threat-led penetration testing every three years
- To report new or planned contractual arrangements for the provision of ICT services from third parties
- To ensure the ability to terminate any contractual arrangement with third parties that provide/support critical or important functions
Q: What are we still waiting for?
The European Securities and Markets Authority published its final report on the Regulatory Technical Standard in January 2024. It clarifies the technical aspects of what fund managers must comply with when creating and implementing a new framework.
Q: Is there any Luxembourg-specific legislation yet?
The CSSF has published Circular 24/847, which aims to advance ICT reporting as we near DORA compliance.
The circular introduces a three-part notification process: initial, intermediate, and final. It provides a notification timeline and the required information for each stage, aligning with future DORA reporting requirements.
The circular will be applicable as of June 1, 2024, for fund managers.
Q: What can fund managers do now?
There will be limited time to implement a new framework when all final details are released. Now is the time to review existing processes and procedures.
Consider what is already aligned and what needs to be reviewed and amended to ensure continuity of provision of services. This includes potentially designing new procedures, recruiting for new roles, and ensuring ICT service agreements are compliant.
Please reach out to any of the authors for further information and additional advice.
The team would like to thank Céline Moille for her contribution to this article.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.