From last month, January 17 to be precise, financial entities in the European Union were required to have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with the EU’s Digital Operational Resilience Act (Dora).
We set out below key implications of Dora for asset managers, including considerations for contract remediation for Dora compliance.
Objective and Scope
Dora’s key objective is to strengthen financial entities’ operational resilience by ensuring prudent risk management of their information technology and communication (ICT) services, including their cloud, software-as-a-service, digital data, and IT infrastructure arrangements.
Dora applies to a wide range of financial entities including EU alternative investment fund managers (AIFMs) (other than sub-threshold AIFMs), management companies of undertakings for collective investment in transferable securities (UCITS) and investment firms authorised under the EU Markets in Financial Instruments Directive (MiFID).
The text is unclear whether non-EU AIFMs managing or marketing alternative investment funds in the EU are expected to comply with Dora (advice should be taken). However, Dora must be implemented in accordance with the principle of proportionality (based on the financial entity’s size and overall risk profile, and the nature, scale and complexity of their services, activities and operations) and so, to the extent non-EU AIFMs are subject to Dora, they may be able to rely on proportionality in determining how they achieve compliance with DORA’s objectives. Certain requirements also apply indirectly to non-EU entities providing ICT services to EU financial entities (on an intra-group basis or as an independent third party), but the onus is on the EU financial entities to ensure the ICT services meet the required standards.
Organisational requirements
Dora harmonises various pre-existing EU requirements, and introduces new requirements, around the following key pillars:
- ICT risk management framework: Financial entities must adopt a comprehensive and well-documented ICT risk management framework that is reviewed on an ongoing basis. The requirements are specified in greater detail in regulatory technical standards, available here, covering, among other areas, cybersecurity training, business continuity planning, ICT asset management, data, monitoring of ICT systems, vulnerability management and ICT change management.
- Digital operational resilience testing: Financial entities must conduct appropriate testing on ICT systems and tools. Systemically important entities must conduct threat-led penetration testing at least every three years.
- ICT-related incident management and reporting: Financial entities must have in place a comprehensive framework for detecting, classifying and reporting ICT-related incidents in line with prescribed timescales.
- ICT third–party risk management: Financial entities must ensure that all contracts with third party ICT service providers, both intra-group and external, include mandatory contract provisions, covering, among other areas, service locations, data and confidentiality, business continuity, reporting of ICT-related incidents and compliance with appropriate ICT security standards. More prescriptive requirements apply for ICT service providers that support critical or important functions. Firms must also maintain a register of all third-party ICT services arrangements and adopt a policy addressing compliance with the third-party risk management requirements.
Key considerations for contract remediation
Designing a suitable and efficient path to contract remediation can be a daunting task, especially where financial entities have many contracts in place with technology vendors. To achieve this, and based on our experience, the contract remediation project should be organized methodically into phases and take account of the following key considerations:
- Identify ICT service types (and their criticality or importance) and in-scope EU territories. It may help to segment contracts into those that are brief, standard-form technology contracts and other, more complex outsourcing contracts.
- Preparing a contract addendum that is then adapted for individual contracts may be the most efficient method of remediation, and firms can leverage any addenda previously used for compliance with mandatory contract terms for regulated outsourcings. The addendum could take a modular form that enables jurisdiction-specific issues to be added or removed, e.g. to address nuances around incident reporting and also to adapt remediation for each contract based upon the outcome of diligence.
- The mandatory contract terms under DORA may be divided into ‘legal’ terms (e.g. audit provisions, termination rights) and ‘business’ terms (e.g. service definitions). For the latter, a bespoke remediation process may need to be agreed and documented with applicable business SMEs, to be completed before 17 January 2025 or as soon as possible thereafter.
Final thoughts
Asset managers have just months to reach a status that complies with DORA in a way that is proportionate to their size and business profile. It is now more than ever critical to understand how ICT solutions and services are integrated in fund operations to address the evolving challenges to ensuring operational resiliency and compliance with Dora. Our experience is that this is currently an area in flux and negotiations in respect of remediation can be challenging. A key factor behind these challenges is that vendors and customers are seeking to apply their own DORA-compliant terms uniformly, across their agreements. The remediation process is still relatively immature, and an industry-wide view of appropriate, compliant contract positions will continue to evolve.
By Mike Pierides and James Mulligan, with contributions from Steven Lightstone and William Yonge, solicitors in the London office of Philadelphia-based law firm Morgan Lewis
