Search Ocorian

Are you ready for DORA? A guide to the EU's new cybersecurity & operational resilience standards for asset managers

Are you ready for DORA? A guide to the EU's new cybersecurity & operational resilience standards for asset managers

04 June, 2024

The EU's Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and is poised to significantly impact the landscape for regulated funds when it applies as of 17 January 2025. 

This new regulation, part of the Digital Finance Package, aims to harmonise cybersecurity, mitigate risks and increase the digital operational resilience standards across the financial sector within the EU. 

While it may seem daunting at first, fund managers can achieve compliance through a pragmatic approach that leverages existing practices. 

Sharon Hodder, Head of Business Partnering, Technology and Nisha Patel, Chief Information Security Officer at Ocorian dive into DORA's implications for EU funds and the considerations for asset managers who utilise an outsourcing model to service providers such as fund administrators.

What are the things asset managers need to know about DORA?

DORA establishes a comprehensive framework for managing Information and Communication Technology (ICT) risks. The key features are: 

  • Harmonised requirements: DORA creates a consistent approach across EU member states, streamlining compliance for funds with a pan-European presence.
  • Focus on risk management: A structured approach to ICT risk identification, assessment, and mitigation becomes mandatory.
  • Resilience testing: Funds will need to implement robust incident response plans and conduct regular testing to ensure operational continuity during disruptions.
  • Third-party risk management: DORA emphasises managing risks associated with outsourced services. Fund managers must ensure their ICT service providers adhere to DORA's requirements.

 

What will be the impact of DORA on regulated funds?

 

There are five key areas (”pillars”) for funds which include:

  1. ICT risk management: This involves identifying and assessing risks to information and communication technology (ICT) systems and infrastructure.
  2. Incident management: This pillar focuses on having a process in place to identify, report, respond to, and recover from, ICT-related incidents.
  3. Digital operational resilience testing: Threat Led Penetration Testing (TLPT), previously optional, is now mandatory. This involves testing your systems and processes at least yearly to ensure they can withstand disruptions. The outcome of these tests also needs to be shared with regulators.
  4. ICT third-party risk management: Companies need to have a register of all third-party ICT service providers, with a special focus on critical suppliers. There are also data asset register requirements.
  5. Information sharing: Article 45 of DORA explains this as "sharing of threat intelligence” - an optional pillar taking place within trusted communities of financial entities with conditions for participation defined and validation of membership to be reported to the competent authorities (regulators).  Currently no official mechanism exists for sharing information like this across the EU. The future goal is to create a hub to facilitate information sharing about cyber threats.

 

Who is impacted by DORA?

DORA is designed to target:

  • The European Union financial sector and its service providers 
  • Companies and entities outside the EU that provide services or do business with any financial market participants within the EU.

Financial entities that are impacted include credit and payment institutions, trading venues, central securities depositaries, and a vast selection of different service providers (fund administration through to data reporting).

DORA does not apply to managers of alternative investment funds, Insurance intermediaries, and natural or legal persons.

What are the considerations for outsourcing to third-party service providers?

Asset managers who rely on service providers for critical functions need to adapt their outsourcing practices to comply with DORA. Here are some key considerations:

  • Vendor due diligence: It is crucial for firms to look beyond their internal technology and consider the technology and systems used by their vendors. Third-party vendors will also need to be DORA compliant. Asset managers will need to ensure their vendors have proper risk management, conduct penetration testing, and provide evidence to regulators. A thorough assessment of a service provider's ICT security posture, risk management practices, and DORA compliance now becomes essential.
  • Contractual safeguards: Contracts with service providers need to clearly outline DORA compliance expectations, including incident reporting, information sharing protocols, audit rights and exit strategies. Contracts need to be reviewed and potentially updated   to include DORA specific compliance clauses. There are illustrative  templates available on the EU websites for these contracts. 
  • Ongoing monitoring: Asset managers must continuously monitor their service providers' adherence to DORA requirements. This may involve regular reviews, audits, and penetration testing. For example, a service provider such as a fund administrator should have an internal audit function that operates independently of the IT department. This function should verify adherence to regulations by auditing governance frameworks and procedures. While the title can vary, it is crucial for this function to be independent.

 

What steps should you take to ensure third-party service provider compliance?

  • Request documentation: Ask service providers for their DORA implementation plans, policies, and risk assessments.
  • Conduct audits: Engage independent auditors to assess the service provider's ICT security controls and DORA compliance.
  • Leverage industry resources: Utilise guidance from financial regulators and industry associations to understand best practices for managing third-party DORA risks.

 

Will you need additional software?

  • There is no specific software solution for DORA compliance. 
  • However, you will need some way to track and manage your compliance efforts, such as ongoing monitoring.

Companies will use a variety of tools to track and manage their compliance efforts, such as network monitoring tools, internet monitoring tools, and firewall tools.  Companies should already have some of these tools in place.

If you haven’t already started preparing for DORA, where should you start?

  • If you haven't started yet, you should get started as soon as possible. The first step is to find out if your company is in scope for DORA. There are exemptions for smaller firms.
  • If your company is in scope, you need to assemble a working group that includes people from across the business, such as technology, legal, procurement, and compliance. This group should focus on identifying the critical functions of the business, especially those that are outsourced to third-party vendors.
  • However, the key with this is not starting from scratch. Look at everything you already have in place and do a gap analysis to the DORA requirements.  For example, an existing ISO 27001 certification may serve as a strong foundation for achieving compliance with DORA.  The goal is to minimise the need to completely overhaul current practices.
  • The working group should follow a four-step approach: 
  1. Set up a governance structure to support the DORA program.
  2. Identify critical functions and map the IT systems that support them. This includes outsourced functions.
  3. Perform a gap analysis to compare your current practices to DORA requirements.
  4. Develop a roadmap to achieve compliance.
  • This is a complex process, and there is a lot of work involved. 
  • When thinking about risk management, companies need to consider people, physical security, and technology. These are the three key areas to focus on.

 

If you don't comply, what's the risk to asset managers?

DORA applies to financial entities in scope from January 2025.

There are financial penalties for non-compliance with DORA. The maximum fine can be €10 million or 5% of a company's total annual turnover, whichever is higher. There are also potential GDPR (General Data Protection Regulation) fines if a DORA breach is also a GDPR breach.

The size of the fines will vary depending on the regulator, but the regulation specifies that fines should be proportionate to the size of the business.

Any tips to help asset managers comply with DORA?

A pragmatic approach can help companies feel less overwhelmed by DORA compliance.
We advise firms to:

  • Identify a governance structure: Most companies will already have a risk management framework in place. DORA compliance  won’t require r a complete overhaul of this framework.
  • Leverage existing work: DORA compliance can benefit from existing GDPR efforts. It is likely you will already have a data asset registry to comply with GDPR. This data can be used to meet DORA's data asset inventory requirements as well.
  • Identify gaps and focus there: Instead of feeling overwhelmed by a vast new to-do list, focus on identifying gaps between your current practices and DORA's requirements. This will help prioritise efforts and make compliance more manageable.
  • Existing certifications can help: An existing ISO certification can be a valuable asset. While this does not guarantee of DORA compliance, it demonstrates your organisation's commitment to robust operational practices.
  • Don't reinvent the wheel: There is no one-size-fits-all solution for DORA compliance. You will already have a variety of tools in place for tasks like network monitoring and firewalls. These tools can be leveraged for DORA compliance as well.

Conclusion

DORA compliance is achievable for asset managers through a pragmatic approach. By focusing on existing governance structures, leveraging GDPR efforts, and identifying targeted gaps, firms can ensure compliance without a complete overhaul of their current practices.

The good news is that many fund administrators and service providers are ahead of the curve and Ocorian already adheres to most aspects of DORA thanks to our existing compliance with frameworks like ISO 27001, which address IT risk management, incident management, and other relevant areas.

Ocorian is also developing a new service to assist our clients and other institutions with achieving DORA compliance.

Contact us for further information.