What to Expect From the EU’s Digital Operational Resilience Act (DORA)
The DORA rules will become fully applicable on 17 January 2025.
The 5 Pillars of the Digital Operational Resilience Act
DORA is already having a significant impact on fund managers across the EU region. It sets out measures that are divided into 5 pillars:
1. ICT Risk Management
The DORA ICT risk management framework put the onus with the management body of the firm for identifying and managing relevant risks. ICT (Information and communication technology) risk management focuses on protecting the confidentiality, integrity, and availability of an organization’s digital assets, including data, applications, networks, and hardware. It aims to minimize the potential negative impact of ICT-related risks on business operations, reputation, and overall security.
The DORA is an ongoing process that requires continuous monitoring, evaluation, and adaptation to evolving risks and technologies. To comply with this requirement, fund managers must develop comprehensive frameworks for risk identification, assessment, and mitigation.
2. ICT-related Incident Management, Classification and Reporting
The DORA aims to enhance regulatory reporting and transparency across financial entities, so fund managers should prepare for more comprehensive reporting requirements relating to operational resilience along with increased regulatory oversight and scrutiny.
DORA will introduce standardized incident reporting and communication protocols within the industry to ensure greater transparency and accountability within the industry. These requirements will be challenging for many asset management firms who will need to improve their process of collecting, analyzing and disseminating information about ICT threats and cyber-attacks.
3. Digital Operational Resilience Testing
The DORA sets out comprehensive guidelines and requirements for fund managers to ensure their digital infrastructures can withstand disruptions and effectively recover in the event of an incident. The onus has been placed on the management body of the firm to perform and address assessments on a regular basis, such as vulnerability assessments and network security assessment.
4. Information Sharing Arrangements
Financial entities may exchange cyber threat information and intelligence. Information sharing is a crucial aspect of cybersecurity as it enables the timely exchange of relevant threat intelligence, vulnerabilities, and best practices among different stakeholders. This sharing of information helps to improve situational awareness, enhance the ability to detect and respond to cyber threats, and ultimately strengthen the overall security posture of organizations and networks.
Fund managers will likely face stricter requirements for data quality, integrity, and accessibility. They can also expect increased scrutiny on data privacy and protection, including compliance with the EU General Data Protection Regulation (GDPR).
5. Managing of ICT Third-Party Risk
DORA places significant emphasis on the management of risks arising from third-party service providers. In today’s interconnected business environment, organizations often rely on third-party vendors for various ICT services such as cloud hosting, software development, infrastructure management, and data processing.
DORA imposes stricter regulations on outsourcing activities and third-party risk management. As a result, financial entities need to conduct thorough due diligence when engaging third-party service providers, ensuring they meet the required standards of operational resilience and cybersecurity. We are seeing more robust contractual arrangements, including clear provisions for monitoring and managing third-party risks.
How Waystone can help
Des Johnson, Global Chief Revenue Officer at Waystone, says “DORA is a transformative regulatory initiative designed to enhance operational resilience within the financial services industry. With our deep understanding of the fund management industry and commitment to regulatory compliance, Waystone is well-positioned to assist fund managers in navigating the complexities of DORA implementation. We recognize the significance of DORA and are committed to helping fund managers navigate the complexities of DORA and ensure compliance with the forthcoming regulations”.
About Centaur Fund Services
Centaur Fund Services, a Waystone Group company, is a leading fund administrator with offices in the United States, Bermuda, Canada, Cayman, Ireland, London, Luxembourg and the Philippines. Centaur delivers independent fund administration, fiduciary and regulatory services globally to the alternative investment fund industry, focusing on hedge funds, private equity, credit and real estate funds, family offices and ILS funds.
About Waystone
Waystone is the leading provider of institutional governance, administration, risk and compliance services to the asset management industry.
Partnering with institutional investors, investment funds and asset managers Waystone builds, supports and protects investment structures and strategies worldwide. With over 25 years’ experience and a comprehensive range of specialist services to its name, Waystone is now supporting asset managers with more than US$2Tn in AUM.