DORA - Challenges for Asset Managers

DORA may not be uppermost in the thoughts of Asset Managers, but it is a regulation that cannot be ignored if you carry out business in the EU, or with parties falling into that regulatory jurisdiction.

The key aims of DORA apply to multiple industries but essentially are that risk management around data and cybersecurity will be subject to more stringent rules across the EU. It aims to improve the strength, effectiveness, and consistency of risk management, removing the fragmented rules that exist across multiple individual EU member states. There is also a focus on the management of 3^rd party service providers and ensuring that a firm is familiar with the risk management measures of their service providers, ensures that they are of sufficient quality, and monitors them closely.

The timeframes for the Risk Management Framework Information & Communication Technology (ICT) policy, the Classification of Major ICT Incidents, and the 3^rd Party Register are as follows:-

1. June 2023 – Consultation paper on draft policy issued. Public consultation to begin
2. Sept 2023 – Public consultation to conclude. Assessment of responses to begin
3. 17/2/2024 – Submit draft recommendations to European Commission

The timeframes for the RTS on Sub-Contracting, and the Reporting of Major Incidents will follow a slightly different timetable and are as follows:-

1. Nov 2023 – Consultation paper on draft policy issued. Public consultation to begin
2. Feb 2024 - Public consultation to conclude. Assessment of responses to begin
3. June 2024 - Submit draft recommendations to European Commission

Watch out for further posts on DORA from us, where we will share information on Risk Management, Major Incident Reporting, and CTPPs (Critical ICT Third Party Providers)

Please get in touch with us at [email protected] should you wish to discuss how Investment Solutions Consultants (ISC) Ltd can help you