Managing IT Service Provider Risks by Fund Managers and Fund Service Providers Under DORA
Starting January 17, 2025, the EU Digital Operational Resilience Act (DORA) will come into effect. This regulation impacts EU financial entities, including fund managers and fund service providers like fund administrators. DORA's requirements are categorized into four main areas:
1. ICT risk management
2. ICT-related incidents management
3. Periodic testing of digital operational resilience
4. Management of IT service provider risks
This blog focuses on managing IT service provider risks under DORA, providing practical guidance for fund managers and fund service providers on implementing these requirements. Matterhorn Reporting Services (Matterhorn), an IT service provider supporting fund managers and fund service providers in meeting AIFMD reporting obligations, will also be affected by DORA. We therefore also outline how Matterhorn has prepared for DORA in order to enable fund managers and fund service providers to comply with these new regulations.
Background
Financial entities increasingly depend on external IT service providers to manage operations and services, which exposes them to potential ICT risks. These risks arise because IT service providers are not directly supervised or subject to the same regulatory frameworks as financial entities. Poorly managed ICT risks can disrupt business operations and services, affecting other financial entities, sectors, and the broader economy. DORA aims to enhance ICT security across the European financial sector, ensuring resilience against significant operational digital disruptions.
As an EU regulation, DORA will directly apply in EU member states from January 17, 2025. Detailed requirements are specified in regulatory technical standards (RTS), implementing technical standards (ITS), and guidance from regulators.
Impacted Fund Managers and Fund Service Providers
DORA requirements will generally apply to all EU-based licensed fund managers and their service providers. However, DORA does not apply to fund managers registered under the AIFMD sub-threshold regime ('sub-threshold AIFMs'). Fewer DORA requirements apply to fund managers employing fewer than 10 people with an annual turnover or balance sheet total of no more than EUR 2 million (‘microenterprises’).
Key Requirements for Managing IT Service Provider Risks
1. Develop a Strategy on IT Service Provider Risks
Fund managers must create a strategy to manage the risks of using IT service providers. This strategy includes establishing a policy that identifies critical or important IT service providers, assigning internal responsibilities for managing these relationships, and ensuring staff have the necessary skills to monitor these arrangements.
2. Perform a Risk Assessment on the IT Service Provider
Before appointing an IT service provider for critical or important functions, fund managers should conduct a risk assessment. This assessment should consider operational, legal, ICT, reputational, data protection, and geographical risks associated with the IT service provider.
3. Conduct Due Diligence on the IT Service Provider
Prior to appointment, fund managers must perform due diligence on IT service providers. This includes assessing the provider's reliability, potential subdelegation, data processing locations, audit rights, and adherence to principles regarding human rights, environmental protection, and working conditions.
4. Write an Exit Plan
Fund managers should develop exit plans for IT service providers handling critical or important functions. These plans must address service interruptions, failed service delivery, or unexpected terminations, ensuring they are realistic, feasible, and aligned with contractual termination clauses.
5. Ensure Key Contractual Provisions in Agreements
Contracts with IT service providers must include:
Clear descriptions of all functions and services
Locations of service provision and data processing
Obligations for assistance during ICT incidents
Audit rights for the fund manager and regulators
Exit strategies
Termination rights and notice periods
6. Maintain an IT Service Provider Register
Fund managers must keep an IT outsourcing register detailing each IT service provider, including information about the fund manager, the IT service provider, the agreement, and the assessments conducted. This register should be ready for submission to regulators upon request.
7. Report Agreements to Regulators
Fund managers must report new IT service provider appointments to local regulators annually, and immediately for those supporting critical or important functions.
Implementation Steps
To successfully implement DORA requirements, fund managers should:
1. List all current IT service providers and their subdelegates.
2. Assess whether the IT service provider supports critical or important functions.
3. Review existing agreements for compliance with key contractual provisions.
4. Renegotiate agreements as needed.
5. Complete the IT outsourcing register.
6. Formulate a strategy for managing IT service provider risks.
7. For critical or important IT service providers, develop a policy, reassess risks, and perform due diligence.
How Matterhorn Has Prepared for DORA
Matterhorn has made the following preparations to enable fund managers and fund service providers to comply with DORA:
It has updated its general terms and conditions, containing all the DORA required key contractual provisions, such as a clear description of all functions and services, access and audit rights and termination rights and notice periods.
It can provide a due diligence pack for the risk assessment and due diligence.
It can provide an audit pack, so no on-site audit is required.
It can pre-fill the IT outsourcing register with relevant DORA required information.
Contact us to learn more about how we can support your compliance with DORA requirements.