DORA - Challenges for Asset Managers
DORA may not be uppermost in the thoughts of Asset Managers, but it is a regulation that cannot be ignored if you carry out business in the EU, or with parties falling into that regulatory jurisdiction.
The key aims of DORA apply to multiple industries but essentially are that risk management around data and cybersecurity will be subject to more stringent rules across the EU. It aims to improve the strength, effectiveness, and consistency of risk management, removing the fragmented rules that exist across multiple individual EU member states. There is also a focus on the management of 3rd party service providers and ensuring that a firm is familiar with the risk management measures of their service providers, ensures that they are of sufficient quality, and monitors them closely.
The timeframes for the Risk Management Framework Information & Communication Technology (ICT) policy, the Classification of Major ICT Incidents, and the 3rd Party Register are as follows:-
- June 2023 – Consultation paper on draft policy issued. Public consultation to begin
- Sept 2023 – Public consultation to conclude. Assessment of responses to begin
- 17/2/2024 – Submit draft recommendations to European Commission
The timeframes for the RTS on Sub-Contracting, and the Reporting of Major Incidents will follow a slightly different timetable and are as follows:-
- Nov 2023 – Consultation paper on draft policy issued. Public consultation to begin
- Feb 2024 - Public consultation to conclude. Assessment of responses to begin
- June 2024 - Submit draft recommendations to European Commission
Watch out for further posts on DORA from us, where we will share information on Risk Management, Major Incident Reporting, and CTPPs (Critical ICT Third Party Providers)