22/11/24

DORA's Balance: Smart Compliance for Investment Firms, Assets Managers and their Funds

The Digital Operational Resilience Act (DORA) is enforceable from 17 January 2025. It introduces new legal obligations for EU financial entities to manage their digital operational risks, including identifying critical functions, mapping IT landscapes, formalising incident management plans, testing resilience, and managing third-party risks. Firms in violation of DORA may face fines of up to 2% of their total annual worldwide turnover or, for individuals, a maximum fine of EUR1 million.

DORA’s extensive scope can seem daunting, with significant changes needed for compliance, especially with enforcement looming in just a few months. Our view is that responding to DORA can be targeted, and defensible compliance is possible before enforcement commences. The impetus is to act now.

The Proportionality Principle

At DORA's core lies the proportionality principle, a powerful tool for rightsizing compliance efforts. This principle, explicitly stated in the act, recognises that one size doesn't fit all in financial regulation. It allows for a tailored approach, considering an entity's size, risk profile, and operational complexity.

Existing Alignment with DORA

Many Investment Firms, Assets Managers and their Funds have begun their response to DORA, and are well-positioned across some domains, either by design, prudence, or luck.

They sometimes already have (some) IT security and incident management structures including disaster recovery planning, penetration testing and vulnerability assessments. While DORA formalises these practices, the underlying processes, behaviours, and activities are sometimes already in place.

Furthermore, the AIFM Directive, GDPR, and other regulations have already pushed firms to implement controls that align with some of DORA's objectives, such as vendor due diligence. These can be quickly expanded to meet DORA's third-party risk management requirements.

Pragmatic Path Forward

Building on our work with clients across Europe, we see that a proportionate and minimally defensible DORA approach is desirable – and doable – for Investment Firms, Assets Managers and their Funds.

Acting now gives Investment Firms, Assets Managers and their Funds the opportunity to deliver the necessary change and formalisation that acts as a basis for defensible DORA compliance before the deadline. Ultimately, compliance is key, but excessive DORA responses can introduce needless complexity, operational pain, excessive cost, and paradoxically delay compliance and increase risk.

To meet the requirements, some uplifts will be legal (e.g., contracts, risk tolerance, and scope), whereas others will be operational (e.g., policy, procedure, and risk and resilience). This involves focusing on critical functions, leveraging existing controls and processes, and drawing on technology vendors' DORA-ready solutions. Here, DORA necessitates a systematic approach and targeted uplifts but doesn't typically demand wholesale process or system transformation

dotted_texture