European Union: European Union Mandates IT And Cybersecurity Resilience Requirements For Investment Managers And Firms With Enactment Of DORA

Summary

The European Union (EU) adopted Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (the “DORA Regulation”) in January 2023.

The DORA Regulation seeks to establish a harmonised digital operational resilience standard applicable to the EU financial sector and requires ‘financial entities', including EU investment firms and EU managers of alternative investment funds (AIFMs) to (among other things) have in place a comprehensive information and communication technology (ICT) risk management framework that “ensures an effective and prudent management of all ICT risks¹”,² and to manage ICT-related risks and disruptions.

The DORA Regulation is accompanied by Directive 2022/2556 as regards digital operational resilience for the financial sector (the “DORA Directive”), which requires implementation into national law and amends certain other directives, including the recast Markets in Financial Instruments Directive (MiFID)³ and Alternative Investment Fund Managers Directive (AIFMD)⁴.

When will DORA start to apply?

The operative provisions of the DORA Regulation will take effect from 17 January 2025. In relation to the DORA Directive, EU member states must transpose the requirements of the DORA Directive into national law to take effect from that same date.

What are the key provisions for investment firms and AIFMs?

The DORA Regulation will require investment firms and AIFMs to:⁵

• Governance: Maintain internal governance and control frameworks that ensure firms manage all ICT risks effectively. The management body of the firm will bear the ultimate responsibility for managing ICT risks and will be required to maintain a key role in shaping the firm's ICT risk management framework (see below).⁶
• ICT risk management and policies: Maintain a sound, comprehensive and well-documented ICT risk management framework that enables the firm to address ICT risk quickly, efficiently and comprehensively.⁷ The framework shall include strategies, policies, procedures, ICT protocols and tools necessary to protect all information and ICT assets, including software, hardware, servers and all relevant physical components and infrastructure (such as data centres), from the risks of damage or unauthorised access or use.⁸ Firms must also have in place a comprehensive ICT business continuity policy⁹ as well as backup policies and procedures.¹⁰
• Protection, Prevention and Detection: “Continuously monitor and control the security and functioning of ICT systems” and “have in place mechanisms to promptly detect anomalous activities”.¹¹
• Incident Management and Reporting Framework: Establish and implement an ICT-related incident management process to detect, manage, classify and notify relevant incidents, including recording significant cyber threats.¹² These incidents must be reported to the relevant competent authority.¹³
• Digital Operation Resilience testing: Carry out digital operational resilience testing.¹⁴
• Third Party Risk: Manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. This will also impose obligations in relation to firms' contracts with suppliers and sub-contractors.¹⁵
• Information Sharing Arrangements: The DORA Regulation permits firms to exchange amongst themselves information about cyber threats and intelligence, and provides that those firms shall notify the competent authorities of their participation in such information sharing arrangements.¹⁶

The DORA Regulation also establishes an Oversight Framework for critical ICT third-party service provides for financial entities, and establishes the position of Lead Overseer to conduct the oversight of such critical third parties.

Does DORA apply to non-EU investment firms and non-EU AIFMs?

At present, the DORA Regulation is likely to apply only to EU investment firms and EU AIFMs. Similar to the General Data Protection Regulation (GDPR), however, we anticipate the application of DORA to have some level of extraterritorial impact for multinational firms and are hopeful that further guidance will be forthcoming from regulators on extraterritorial impact.¹⁷

It is likely that non-EU investment managers will be indirectly subject to some of the requirements under the DORA Regulation or be required to demonstrate to their EU clients their ICT risk management systems provide an equivalent level of protection and resilience. The DORA Regulation requirements may indirectly apply as a result of contractual arrangements, e.g., through delegated sub-investment management arrangements.

What are the next steps for investment firms and AIFMs?

Firms should undertake a gap analysis of their existing ICT infrastructure, policies and organisational frameworks with a view to mapping the requirements of DORA.

We will continue to monitor and report on developments. Please reach out to your usual Akin contact or to the authors for further information.

Footnotes

1.  The DORA Regulation defines “ICT risk” in Article 3(5) as “…any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment...”.

2. Article 5(1) of the DORA Regulation.

3.  Directive 2014/65/EU.

4.  Directive 2011/61/EU.

5.  Note that simplified procedures may apply to certain small firms, such as small and non-interconnected investment firms: see Article 16 of the DORA Regulation.

6.  Article 5(2) of the DORA Regulation.

7.  Article 6(1) of the DORA Regulation.

8.  Article 6(2) of the DORA Regulation.

9.  Article 11 of the DORA Regulation.

10.  Article 12 of the DORA Regulation.

11.  Articles 9 and 10 of the DORA Regulation.

12.  Articles 17 and 18 of the DORA Regulation.

13. Article 19 of the DORA Regulation.

14.  Article 21 to 27 of the DORA Regulation.

15.  Articles 28 to 30 of the DORA Regulation.

16.  Article 45 of the DORA Regulation.

17.  The list of ‘financial entities' to which the DORA Regulation applies includes “investment firms” (see Article 2(e) of the DORA Regulation) as defined in recast MiFID (see Article 3(33) of the DORA Regulation, cross-referring to Article 4(1)(1) of Directive 2014/65/EU (Recast MiFID)). Similarly, the list of ‘financial entities' includes “managers of alternative investment funds” (see Article 2(k) of the DORA Regulation) as defined in AIFMD (see Article 2(44) of the DORA Regulation, cross-referring to Article 4(1)(b) of Directive 2011/61/EU).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.