Managing IT Service Provider Risks by Fund Managers and Fund Service Providers Under DORA

Starting January 17, 2025, the EU Digital Operational Resilience Act (DORA) will come into effect. This regulation impacts EU financial entities, including fund managers and fund service providers like fund administrators. DORA's requirements are categorized into four main areas:

1. ICT risk management

2. ICT-related incidents management

3. Periodic testing of digital operational resilience

4. Management of IT service provider risks

This blog focuses on managing IT service provider risks under DORA, providing practical guidance for fund managers and fund service providers on implementing these requirements. Matterhorn Reporting Services (Matterhorn), an IT service provider supporting fund managers and fund service providers in meeting AIFMD reporting obligations, will also be affected by DORA. We therefore also outline how Matterhorn has prepared for DORA in order to enable fund managers and fund service providers to comply with these new regulations.

Background

Financial entities increasingly depend on external IT service providers to manage operations and services, which exposes them to potential ICT risks. These risks arise because IT service providers are not directly supervised or subject to the same regulatory frameworks as financial entities. Poorly managed ICT risks can disrupt business operations and services, affecting other financial entities, sectors, and the broader economy. DORA aims to enhance ICT security across the European financial sector, ensuring resilience against significant operational digital disruptions.

As an EU regulation, DORA will directly apply in EU member states from January 17, 2025. Detailed requirements are specified in regulatory technical standards (RTS), implementing technical standards (ITS), and guidance from regulators.

Impacted Fund Managers and Fund Service Providers

DORA requirements will generally apply to all EU-based licensed fund managers and their service providers. However, DORA does not apply to fund managers registered under the AIFMD sub-threshold regime ('sub-threshold AIFMs'). Fewer DORA requirements apply to fund managers employing fewer than 10 people with an annual turnover or balance sheet total of no more than EUR 2 million (‘microenterprises’).

Key Requirements for Managing IT Service Provider Risks

1. Develop a Strategy on IT Service Provider Risks

Fund managers must create a strategy to manage the risks of using IT service providers. This strategy includes establishing a policy that identifies critical or important IT service providers, assigning internal responsibilities for managing these relationships, and ensuring staff have the necessary skills to monitor these arrangements.

2. Perform a Risk Assessment on the IT Service Provider

Before appointing an IT service provider for critical or important functions, fund managers should conduct a risk assessment. This assessment should consider operational, legal, ICT, reputational, data protection, and geographical risks associated with the IT service provider.

3. Conduct Due Diligence on the IT Service Provider

Prior to appointment, fund managers must perform due diligence on IT service providers. This includes assessing the provider's reliability, potential subdelegation, data processing locations, audit rights, and adherence to principles regarding human rights, environmental protection, and working conditions.

4. Write an Exit Plan

Fund managers should develop exit plans for IT service providers handling critical or important functions. These plans must address service interruptions, failed service delivery, or unexpected terminations, ensuring they are realistic, feasible, and aligned with contractual termination clauses.

5. Ensure Key Contractual Provisions in Agreements

Contracts with IT service providers must include:

  • Clear descriptions of all functions and services

  • Locations of service provision and data processing

  • Obligations for assistance during ICT incidents

  • Audit rights for the fund manager and regulators

  • Exit strategies

  • Termination rights and notice periods

6. Maintain an IT Service Provider Register

Fund managers must keep an IT outsourcing register detailing each IT service provider, including information about the fund manager, the IT service provider, the agreement, and the assessments conducted. This register should be ready for submission to regulators upon request.

7. Report Agreements to Regulators

Fund managers must report new IT service provider appointments to local regulators annually, and immediately for those supporting critical or important functions.

Implementation Steps

To successfully implement DORA requirements, fund managers should:

1. List all current IT service providers and their subdelegates.

2. Assess whether the IT service provider supports critical or important functions.

3. Review existing agreements for compliance with key contractual provisions.

4. Renegotiate agreements as needed.

5. Complete the IT outsourcing register.

6. Formulate a strategy for managing IT service provider risks.

7. For critical or important IT service providers, develop a policy, reassess risks, and perform due diligence.

How Matterhorn Has Prepared for DORA

Matterhorn has made the following preparations to enable fund managers and fund service providers to comply with DORA:

  • It has updated its general terms and conditions, containing all the DORA required key contractual provisions, such as a clear description of all functions and services, access and audit rights and termination rights and notice periods.

  • It can provide a due diligence pack for the risk assessment and due diligence.

  • It can provide an audit pack, so no on-site audit is required.

  • It can pre-fill the IT outsourcing register with relevant DORA required information.

Contact us to learn more about how we can support your compliance with DORA requirements.

Schedule an appointment with us

Previous
Previous

FE fundinfo expands best-in-class regulatory reporting capabilities with the acquisition of AIFMD specialist Matterhorn Reporting Services

Next
Next

Understanding the AIFMD National Private Placement Regime (NPPR) for Non-EU Fund Managers