Preparing For Change: Exploring The Digital Operational Resilience Act (DORA) For The Asset Management Industry

The Digital Operational Resilience Act (DORA), an EU regulation effective from January  2023, and enforceable as of January 2025, seeks to enhance IT security within financial entities like banks, insurance firms, and asset and investment management companies.

While key details are still being ironed out by the European Supervisory Authorities (ESAs), comprised of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), DORA’s primary objective is to bolster the operational resilience of Europe’s financial sector, ensuring its ability to withstand significant operational disruptions. DORA achieves this by harmonizing operational resilience rules across 20 different financial entities and information and communication technology (ICT) third-party service providers.

What Is DORA?

DORA covers five main areas:

1. ICT Risk Management – Firms will need to establish and maintain resilient ICT systems and tools to mitigate the impact of ICT risks. This includes continuously identifying and addressing all sources of ICT risks, promptly detecting anomalous activities, implementing dedicated business continuity policies and disaster recovery plans for swift recovery post-incident, and establishing mechanisms for learning and evolution from both external events and internal ICT incidents – think portfolio risk exposure but from a techstack perspective.
2. ICT-Related Incident Management, Classification & Reporting – Monitoring and logging ICT-related incidents are a critical part of DORA. Firms will need to classify incidents according to regulatory criteria developed by the ESAs, report incidents to relevant authorities using standardized templates and procedures set by supervisory bodies, and submit initial, intermediate, and final reports to the firm’s users and clients. Ongoing data collection and documentation will be crucial to incident management, classification, and reporting.
3. Digital Operational Resilience Testing – This means periodically testing elements of the ICT risk management framework for readiness, promptly identifying and addressing weaknesses with counteractive measures, ensuring testing requirements are proportionate to entity size, business, and risk profiles, and conduct Threat Led Penetration Testing (TLTP) to address heightened risk exposure.
4. ICT Third Party Vendor Risk Management – Contracts with vendors should encompass essential monitoring and accessibility details, including comprehensive service level descriptions and data processing locations, while promoting convergence on supervisory approaches through the Joint Committee of European Supervisory Authorities (ESAs).
5. Information Sharing Arrangements – The guidelines advocate collaboration among trusted financial entities to enhance digital operational resilience, raise awareness of ICT risks, minimize the spread of ICT threats, and bolster defensive and detection techniques, mitigation strategies, and response and recovery efforts. Financial entities are urged to exchange cyber threat information and intelligence while ensuring arrangements safeguard the sensitivity of shared information.

As ESAs finalize their Regulatory and Implementing Technical Standards (RTS & ITS), which will come into effect from 2025, it’s evident that asset and investment management firms will face heightened demands for robust data collection and documentation of their ICT vendor relationships. With these impending changes, there’s a pressing need to reassess current processes for collecting and documenting risk data. Now is the opportune moment to enhance data collection infrastructure to meet evolving regulatory requirements effectively.

Who Will DORA Impact?

DORA will have an impact on a diverse array of entities within the asset and investment management industry encompassing credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, insurance companies, crypto-asset service providers, exchanges, clearing houses, alternative fund managers, pension providers, and credit rating agencies.

What Are The Implications For Due Diligence Teams?

EU regulators aim to take a proactive approach to ICT risk, emphasizing financial institutions maintain regular reporting, communication, and assessments facilitated by standardized formats. Financial institutions will need to chart their dependencies on third-party ICT services, ensuring that their crucial functions are not overly reliant on a single provider or a small group of providers.

The Digital Operational Resilience Act (DORA) is likely to have several impacts on financial institutions’ Due Diligence Questionnaire (DDQ) and Request for Proposal (RFP) processes:

1. Assessment Of Operational Resilience: Financial institutions will need to enhance their DDQ and RFP processes to include inquiries and requirements related to operational resilience, as mandated by DORA. This could involve assessing vendors’ IT security measures, incident response capabilities, and business continuity plans.
2. Ensuring Compliance With Requirements: DORA will introduce new compliance requirements for financial institutions regarding operational resilience and IT security. As a result, DDQs and RFPs will need to be updated to ensure that vendors are compliant with these regulations.
3. Standardized Reporting And Communication: Digital Operational Resilience Act (DORA) emphasizes standardized reporting and communication of ICT-related incidents. Investment and asset management firms will need to incorporate requirements for standardized incident reporting into their DDQ and RFP processes to ensure consistency and compliance with regulatory standards.
4. Evaluation Of Third-Party Vendors: Investment and asset management firms will need to conduct more thorough evaluations of third-party vendors’ operational resilience and IT security capabilities as part of their DDQ and RFP processes. This could involve requesting detailed information about vendors’ risk management practices, cybersecurity measures, and incident response protocols.

DiligenceVault + DORA Requirements

At DiligenceVault, we have three initiatives with regards to DORA:

1. As the leading due diligence platform, our asset manager, investor and management company clients in Europe have already started to digitise their DORA questionnaires and leverage open issues tracking capabilities on the DiligenceVault platform. This streamlines the process of collecting information faster from the third party vendors, and speeds up response analysis, risk monitoring and reporting.
2. As a software provider, we are asked by new and existing clients to answer their questionnaires related to DORA. Our questionnaire response platform makes it easy to store and maintain all the responses and documents in one place, up to date. We use our own technology for it, and all our premium third party vendor clients do it too.
3. Building reporting capabilities to help our clients report ICT risks to their regulators.

Overall, DORA is likely to lead to enhancements in asset and investment management DDQ and RFP processes, with a greater emphasis on operational resilience, compliance with regulatory standards, standardized reporting and communication, and thorough evaluation of third-party vendors. DiligenceVault is the leading provider of industry-specific due diligence technology. Trusted by over 70,000 users in the asset management industry, the DiligenceVault platform empowers firms to master due diligence on both sides of the questionnaire.

Contact us to find out more about how we can help!