Exploring DORA’s ICT Risk Requirements: Key Issues for Asset Managers

The EU’s Digital Operational Resilience Regulation¹ (“DORA”) imposes new rules relating to financial entities’ information and communication technology ("ICT") risk. DORA is accompanied by a Directive² that amends certain EU financial services legislation to ensure consistency with DORA (the “DORA Directive”). This article discusses key requirements for asset management firms.

What is DORA?

DORA imposes a new set of harmonised rules relating to financial entities’ ICT risk. DORA and the DORA Directive aim to further harmonise the regulatory requirements in relation to ICT risks for financial entities operating in the EU.

DORA also mandates the European Supervisory Authorities (“ESAs”)³ to develop a range of draft delegated acts, regulatory technical standards (“RTS”) and implementing technical standards (“ITS”) on various matters, for adoption by the EU Commission. The intention is that the RTS and ITS will provide more technical detail as to what is required to comply with the provisions of DORA itself.

The ESAs consulted on the first batch of RTS and ITS on 19 June 2023 and submitted the final draft RTS and ITS to the EU Commission on 17 January 2024.⁴ The European Commission will now start working on their review with the objective to adopt these first standards in the coming months. The ESAs launched consultation on the second batch of RTS and ITS on 8 December 2023 and the ESAs are to submit final drafts to the EU Commission by 17 July 2024.

What is DORA’s impact?

DORA and the DORA Directive will have a significant impact on the asset management sector as they will compel the firm’s management bodies to fully understand how their ICT, operational resilience, cyber and third-party risk management practices impact the resilience of their critical/important functions.

The practical impact is that in scope firms will need to review and adjust their operational resilience and ICT capabilities to meet the new oversight, testing and reporting requirements that are being introduced, as well as to review their ICT contracts.

Who is in scope of DORA?

DORA applies to a wide range of financial entities – nearly all firms in the financial sector are in scope. Of particular relevance to asset managers is the fact that MiFID investment firms,⁵ alternative investment fund managers⁶ (“AIFMs”) and management companies subject to Directive 2009/65/EC (“UCITS Directive”)⁷ are in scope, as are certain third-party ICT service providers (primarily those ICT providers designated as ‘critical’ by ESAs).

DORA does however include an exemption for certain financial entities, such as sub-threshold AIFMs,⁸ and for many requirements microenterprises⁹ are also exempt. Similarly, 'small and non-interconnected investment firms'¹⁰ are exempt from certain requirements. At a high-level, such firms are required to address the same issues as other financial entities, but the obligations are less prescriptive – allowing greater flexibility in implementing an appropriate ICT risk management framework.¹¹

It is also worth noting that the categories of entities in scope of DORA include entities that are currently out of scope under the existing EBA Guidelines on outsourcing arrangements – for example crypto-asset service providers, insurance and re-insurance companies.

With regards application of DORA to non-EU AIFMs, DORA defines AIFMs by reference to Article 4(1)(b) of AIFMD – “legal persons whose regular business is managing one or more AIFs” – which is not limited to EU managers. It is not yet clear whether non-EU AIFMs managing EU AIFs and/or marketing AIFs in the EU will be expected to comply with the provisions of DORA.

The DORA Directive amends other pieces of EU financial services legislation (including AIFMD and the UCITS Directive) to align with the requirements laid down in DORA regarding the specific risk management of ICT systems and tools.

What is ‘digital operational resilience’?

Under DORA, ‘Digital operational resilience’ is defined as a financial entity’s ability to ‘build, assure and review its operational integrity and reliability’ by ensuring ‘the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions’. Resilience to cyberattacks is just one aspect of the operational strength that DORA seeks to ensure. It also addresses reliability and business continuity more generally.

The obligations imposed on financial entities largely fall under the following categories:

1. ICT risk management controls.
2. Reporting requirements.
3. Resilience testing.
4. Management of third-party risk, including contractual arrangements with third-party ICT service providers.
5. Information sharing in relation to cyber threats and vulnerabilities.

1. ICT risk management controls

DORA includes a number of general requirements regarding financial entities’ ICT resilience and supplements those general requirements with more specific provisions designed to meet such requirements.

ICT Risk Management Framework – DORA requires financial entities to implement an ICT risk management framework (“Framework”) that enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. The Framework – which must be well-documented – must include policies, procedures and protocols to protect all information and ICT assets. The Framework must also include a digital operational resilience strategy setting out how the Framework will be implemented – including methods to address ICT risk and attain specific ICT objectives. The Framework must be subject to continuous improvement on the basis of lessons derived from implementation and monitoring and, in most instances, must be reviewed at least annually (as well as following major ICT-related incidents, supervisory instructions or conclusions derived from resilience testing or audit processes). National competent authorities can request details of a firm’s Framework and can request complete and updated information on ICT risk. The ESAs have published final draft RTS specifying the details of the elements to be included in the Framework.

Governance of ICT Risk – DORA requires financial entities to have in place internal governance and controls to ensure effective and prudent management of ICT risk, which includes assigning the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. DORA provides details¹² as to what it expects from the management body or the equivalent persons who effectively run the entity or have key functions) in terms of defining, approving, overseeing and being responsible for the implementation of all arrangements related to the Framework.

The management body is ultimately responsible for overseeing and implementing the Framework. Consequently, members of the management body must make sure they actively maintain up to date knowledge to understand and assess ICT risk and senior ICT staff must report at least annually to the management body on operational resilience.

ICT mapping and inventories – As part of the Framework, financial entities are required to track and document all information assets and ICT assets, as well as all ICT-supported business functions and the information and ICT assets that support those functions. Firms must also identify sources of ICT risk, in particular exposure from other financial entities, as well as ICT service providers that support critical or important business functions. Financial entities are required to continuously (i) identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and (ii) assess related cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. These inventories must be reviewed periodically (generally, at least annually).

ICT Security and Business Continuity – As part of the Framework, DORA requires financial entities to put in place a comprehensive ICT business continuity policy (“BCP”) and ICT response and recovery plans. DORA specifies the BCP and ICT response and recovery plans need to be maintained and periodically tested, at least yearly. As part of the Framework, DORA also includes general obligations regarding the appropriateness, reliability and resilience of ICT systems. For example, financial entities must implement policies and protocols addressing key aspects of ICT security, such as information security, physical and technical access requirements, breach detection, incident response, crisis management and business continuity and recovery.

Firms must have a crisis management function, which must set out clear procedures to manage internal and external crisis communications in the event of activation of their ICT BCP or ICT response and recovery plans. The ESAs have published final draft RTS specifying further the components of the ICT BCP and the rules on the testing of those ICT BCPs.

2.  Reporting ICT incidents

DORA requires financial entities to classify ICT-related incidents (e.g., cyberattacks) based on specified criteria, such as the relevance to clients and financial counterparts, the volume of transactions affected, the duration of the incident, the geographic spread of the incident and the impact on data.¹³

Major ICT-related incidents must be reported to regulators within specified timeframes. The timeframes proposed in current draft RTS are stringent:¹⁴

• initial notification within four hours after classification and no later than 24 hours after detection of the incident;
• intermediate report within 72 hours from the classification of the incident as major; and
• final report within one month from the classification of the incident as major.

Where an incident also constitutes a personal data breach, DORA’s incident reporting requirements will apply in parallel to breach notification rules under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The draft RTS will, once approved, provide further detail as to the criteria and materiality thresholds for determining major ICT-related incidents, the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents, amongst other items. The ESAs are currently consulting on draft RTS and ITS covering the content of initial notifications, intermediate reports and final reports.

In addition, where a major ICT incident has an impact on the financial interests of clients, the clients must be notified without undue delay.

3. Resilience testing

As part of the Framework, financial entities (other than microenterprises) are required to maintain a comprehensive digital operational resilience testing programme, such as vulnerability scans, penetration testing and physical security reviews. The approach to testing must take into account the general ICT-risk landscape and any specific risks relevant to the financial entity. For ICT systems supporting critical or important functions, appropriate tests must be conducted at least yearly. For many entities, threat-led penetration testing must be carried out at least every three years, and the tests should comply with specified requirements. RTS and ITS are being developed covering threat-led penetration testing.¹⁵

4. Management of third-party risk

DORA treats management of third-party risk as a critical component of a financial entity’s overall ICT risk within the Framework, laying down specific obligations to manage third-party risk. DORA’s focus on third-party ICT contractual arrangements is explained in the recitals – although EU financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into EU law. Legislators are of the view that many contractual arrangements with third parties do not provide for sufficient safeguards allowing for the fully-fledged monitoring of subcontracting processes, meaning the financial entity is deprived of its ability to assess the associated risks. In addition, legislators believe that as ICT third-party service providers often provide standardised services to different types of clients, such contractual arrangements do not always cater adequately for the individual or specific needs of financial entities. DORA aims to address this.

Third-party risk strategy – Financial entities are required to have a strategy in place for managing third-party risk, including a policy on the use of third-party ICT services supporting critical and important functions.¹⁶

Register of information – Firms must maintain a register of contractual arrangements with third-party ICT service providers (‘register of information’), including various details of each ICT service.¹⁷ The register of information must distinguish between those ICT services that support critical or important functions and those that do not. The ESAs have published proposed implementing technical standards that include standardised templates for the register of information to help ensure uniformity across EU Member States.

Reporting – Firms must report to regulators at least annually on the new ICT services arrangements and are to make the register of information available to regulators on request. In particular, financial entities are required to inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services to support critical or important functions, as well as when a function has been reassessed and is subsequently seen as critical or important.

Pre-contractual steps – Prior to engaging a third party ICT service provider, financial entities must carry out appropriate diligence on the provider and make an assessment of the contractual setup, including whether the firm is overly dependent on the particular provider and the risks associated with further subcontracting by the provider. Specific considerations must be assessed when a provider is based outside the EU, and when the provider will support critical or important functions. When contractual arrangements do concern critical or important functions, before entering into the arrangements, financial entities must consider whether the ICT third-party service provider in question uses the most up-to-date and highest quality information security standards.

Contractual provisions – Financial entities must ensure that in contracts with third-party providers the rights and obligations of the financial entity and of the ICT third-party service provider are clearly allocated, and the full contract, including service level agreements, must be documented in one written document. Importantly, contracts must include a number of specific terms, including:

• specific termination rights in various scenarios;
• provisions enabling the safe return of data to the financial firm;
• obligations on the service provider to provide assistance at no additional cost in the event of an ICT incident;
• provisions indicating whether ICT services supporting critical or important functions can be subcontracted; and
• requirements that the ICT service provider co-operates with regulators.

Contracts for critical and important ICT services are subject to particularly prescriptive requirements. Contract updates for DORA may also serve as an opportunity to address any outstanding regulatory updates to conform with GDPR requirements for processing and/or exporting personal data.

The ESAs have published for consultation draft RTS to provide further specifics on factors that a financial entity  needs to determine and assess when subcontracting ICT services supporting critical or important functions.¹⁸

Exit strategies – Where an ICT service supports a critical or important function, financial entities must ensure they are able to exit the arrangement without disruption to their business activities, without limiting compliance with regulatory requirements and without detriment to client service. Transition and termination assistance provisions will therefore be of particular importance, with DORA requiring a mandatory adequate transition period to be established allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided. During the mandatory transition period, the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to effective resolution and restructuring. Exit plans need to be comprehensive, documented and sufficiently tested and reviewed periodically.

5. Information sharing

DORA envisages that financial entities may establish bodies or membership organisations for sharing cyber threat information and intelligence in order to enhance resilience. Such information sharing must only be carried out within trusted communities of financial entities and ensure that the sensitive nature of the information is protected. Firms must notify competent authorities of their involvement in information-sharing groups.

Proportionality

In light of the detailed requirements that DORA will introduce, financial entities will be pleased to note that DORA specifically includes a ‘proportionality principle’.¹⁹ This gives financial entities welcome flexibility, allowing them to apply the DORA requirements in a way that is proportionate to their size and overall risk profile, as well as the nature scale and complexity of their services, activities and operations. The proportionality principle applies not only to ICT risk management itself, but also to ICT-related incident management, classification and reporting, to digital operational resilience testing and to managing of ICT third-party risk.

Penalties and enforcement

DORA establishes that competent authorities are to have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under DORA. This includes the power to access any document or data the competent authority considers relevant, the power to carry out on-site inspections or investigations, and the power to require corrective and remedial measures for breaches of DORA’s requirements. DORA also requires EU Member States to give competent authorities the power to apply administrative penalties and remedial measures, including cease and desist orders, public notices of non-compliance and any other type of measures (including fines) to ensure that financial entities continue to comply. DORA does also leave the door open for EU Member States to impose criminal penalties. Any penalties must be effective, proportionate and dissuasive. As an additional deterrent, competent authorities are required to publish any decision imposing an administrative penalty on their official websites. The publication must include information on the type and nature of the breach, the identity of the persons responsible and the penalties imposed.

Comment

EU legislators see cyber risk as a systemic vulnerability because of high levels of interconnectedness across the financial sector. The COVID-19 pandemic has accelerated financial entities’ reliance on ICT. DORA is intended to harmonise rules across EU Member States and across different financial services sectors. However, a degree of inconsistency is likely to remain because financial penalties are not specified on an EU-wide level but left for individual EU Member States. In addition, whilst the ‘proportionality principle’ gives firms some welcome wiggle room, that principle may also undermine the consistency with which DORA is applied in practice. Many requirements of DORA reflect existing good practice, however even asset managers with robust and sophisticated ICT management frameworks will need to take steps to conform with the specific requirements of DORA. In-scope firms are advised to start preparing now for January 2025 go-live. This includes firms that are currently not in scope of the EBA Outsourcing Guidelines, who should consider whether they now fall within scope of DORA, and if so, take steps to ensure they will comply with DORA from January 2025.