With less than five months remaining until the European Union’s Digital Operational Resilience Act (DORA) comes into effect, Ocorian, a leading provider of fund, corporate, capital market, private client, and regulatory compliance services, is urging asset managers to take immediate steps to ensure compliance.
Failure to act could result in significant penalties, including fines of up to €10 million or 5% of annual turnover.
Impact of DORA on the Financial Sector
DORA is set to reshape the operational landscape for the EU financial sector, including its service providers and any external entities conducting business with EU-based financial participants. The regulation, a key component of the EU’s Digital Finance Package, aims to harmonise cybersecurity measures, mitigate digital risks, and enhance the operational resilience of financial institutions.
Ocorian highlights that from 17th January 2025, asset managers will need to ensure both their own operations and those of their outsourced service providers comply with DORA’s stringent requirements. Non-compliance could lead to substantial financial penalties and reputational damage.
Key Areas of Impact for Regulated Funds
DORA will have a significant impact on regulated funds, particularly across the following five areas:
- ICT Risk Management: Asset managers must identify and assess risks related to their Information, Communication, and Technology (ICT) systems and infrastructure.
- Incident Management: They will need robust processes to identify, report, and recover from ICT-related incidents.
- Digital Operational Resilience Testing: Regular testing of systems and processes will be required to ensure they can withstand disruptions.
- ICT Third-Party Risk Management: Managers must maintain a register of third-party ICT service providers, with an emphasis on those deemed critical.
- Information Sharing: Financial entities will have the option to share information regarding cyber threats with other organisations.
The Importance of Adapting Outsourcing Practices
Ocorian advises asset managers, particularly those reliant on third-party vendors for critical functions, to adapt their outsourcing practices to align with DORA’s requirements. This includes ensuring that all service providers are DORA-compliant, conducting necessary risk assessments and penetration testing, and clearly defining compliance expectations within contracts. Continuous monitoring of third-party compliance will also be essential.
Steps to Achieve DORA Compliance
Ocorian suggests several practical steps asset managers can take to meet DORA requirements without overhauling existing systems:
- Leverage Existing Governance Structures: Use existing risk management frameworks to meet DORA’s governance requirements.
- Utilise GDPR Efforts: Existing data asset registries, created for GDPR compliance, can be used to satisfy DORA’s data asset inventory requirement.
- Identify and Address Gaps: Focus on identifying gaps between current practices and DORA’s requirements to prioritise compliance efforts.
- Capitalise on Existing Certifications: An ISO certification, for example, can demonstrate adherence to strong operational practices.
- Optimise Existing Tools: Existing tools for network monitoring and firewalls can be repurposed for DORA compliance.
Sharon Hodder, Head of Business Partnering – Technology at Ocorian, reassures asset managers: “While DORA compliance may seem challenging, it is achievable through a pragmatic approach that builds on existing practices. By leveraging current governance frameworks and focusing on critical gaps, firms can achieve compliance without significant disruption.”
Stuart Geddes, Ocorian’s Chief Information Officer, adds, “Many fund administrators and service providers are already well-prepared for DORA. Our regulatory and compliance experts at Bovill Newgate are developing specialised services to support our clients and other institutions in achieving full DORA compliance.”