The creation of the Digital Operational Resilience Act (DORA) was largely influenced by the increasing of digital risks and growing reliance on technology within the financial sector. The global Covid-19 pandemic further accelerated this evolution, pushing financial institutions towards rapid digitalization, exposing them to a variety of new vulnerabilities and cyber risks. In response to growing cyber threats and reliance on digital tools, the European Commission proposed DORA to harmonize EU regulations on ICT risk management, incident reporting, resilience testing, and third-party risk management.

This article analyses the future impact of this regulatory development for Alternative Investment Fund Managers (AIFMs) in Luxembourg and the necessary controls and challenges for AIFMs and compliance officers are likely to face. This regulation requires AIFMs to evaluate and manage the digital operational risks associated with their activities and those of their service providers and delegates.

AIFMs in Luxembourg often outsource ICT services to third-party providers, which adds complexity to their compliance with the DORA Act. In line with the delegation principle stated on the CSSF Circular 18/698 and the DORA act, the AIFM will be fully responsible for ensuring that these delegated external entities fully comply with the DORA Act, particularly covering ICT services that support a “critical or important function.” This requires enhanced due diligence processes on Initial, Periodical, and ongoing monitoring where the AIFM assesses and continually monitors the third-party’s systems for compliance, given that the AIFM remains ultimately responsible for any decisions or actions taken by their delegates, the same principle mentioned over the previous article concerning the AI Act. Additionally, intra-group providers of services, entities within a financial group providing ICT services, are also considered third-party service providers under DORA.

The first assessment of a Compliance Officer within an AIFM, should be focused on the nature of contractual arrangements pertaining to the use of Information and Communication Technology services. This involves an evaluation to determine if these arrangements cover ICT services that support a “critical or important function.” According to DORA regulatory definitions, a “critical or important function” is one whose disruption would materially impair the financial performance, the soundness, or the continuity of the entity’s services and activities. Additionally, if such a function is discontinued, defective, or fails, it would significantly impair the entity’s ability to comply with the conditions and obligations of its authorization, or with other relevant financial services laws. The Compliance Officer must ensure that any contractual arrangement considers these factors and this requires evaluating the risks associated with the use of ICT services provided by third parties.

Ensuring that contracts with third-party ICT service providers include specific termination clauses for defined situations is a control that a Compliance Officer at an AIFM should implement. The conditions warranting termination include significant breaches by the service provider, such as violations of applicable laws, regulations, or agreed contractual terms. Additionally, any changes in risk profile or performance issues identified during ongoing monitoring that could impact the delivery of critical functions must be grounds for termination. This includes material changes affecting the arrangement or the service provider’s situation. Another key aspect is the service provider’s weaknesses in managing ICT risks, especially concerning data security, including the availability, authenticity, integrity, and confidentiality of sensitive and non-sensitive data. Lastly, the ability of the competent authority to effectively supervise the financial entity must not be compromised by the contractual arrangement. The Compliance Officer must ensure that these termination clauses are in place and effectively monitored.

The Dora act introduces the principle of proportionality that a Compliance Officer should take into account over the Initial Due Diligence, taking into account the nature, the scale, the complexity, and the importance of ICT-related dependencies. In few words, the Compliance Officer should perform an assessment on how significant the ICT services are to the AIFM operations. Additionally, when dealing with providers in third countries, compliance with EU data protection laws and the effectiveness of law enforcement in those countries must be considered.

When AIFMs engage in the identification and assessment of risks for ICT services supporting critical or important functions, as stipulated in Article 28(4), point (c), they must consider specific factors that could impact their operational resilience. This includes evaluating the risk of contracting with ICT third-party service providers who are not easily substitutable, potentially creating a dependency that could be challenging to mitigate in the event of service disruption. Additionally, the practice of having multiple contractual arrangements for critical ICT services with the same or closely connected providers should be analyzed. This scenario could lead to a concentration of risk, a situation that necessitates careful management. AIFMs must also balance the benefits and costs of alternative solutions, such as engaging with different ICT service providers. This decision should align with the entity’s digital resilience strategy, taking into account the suitability of these solutions in meeting their specific business needs and objectives.

AIFMs are required to implement due diligence and oversight mechanisms for their delegates and service providers. This involves an assessment of ICT risks, ensuring that delegates and service providers adhere to DORA’s stringent operational resilience standards. The due diligence consists on an initial assessment prior to enter of business relationship and ongoing monitoring. This is crucial to identify, manage, and mitigate potential ICT risks. DORA’s framework necessitates that AIFMs maintain a robust approach to evaluating the capabilities and compliance of their delegates, particularly with respect to their ICT infrastructures and cybersecurity measures.

Ongoing monitoring under DORA requires AIFMs to continuously oversee their delegates and service providers. This includes regular assessments of ICT risk management practices, ensuring that operational resilience is maintained. Ongoing monitoring ensures that any deviations from DORA’s compliance standards are promptly identified and rectified. This proactive approach to risk management is vital for AIFMs to effectively manage and mitigate the potential impacts of ICT-related disruptions.

Under the Digital Operational Resilience Act (DORA), AIFMs are required to maintain a register of all contractual arrangements pertaining to the use of ICT services provided by third-party service providers. This register is needed for supervisory authorities to monitor and ensure compliance with DORA. AIFMS will be obligated to conduct annual reporting to competent authorities by detailing the number of new arrangements involving the use of ICT services. The register should include a detailed record of contractual engagements, aiding in a strategic approach to monitoring ICT third-party risks and enhancing supervisory awareness of these dependencies and provide to the authority essential information for acquiring a broader understanding of the ICT dependencies of financial entities.

Under DORA, the strategy for managing ICT third-party risk must include a policy specifically for the use of ICT services that support critical or important functions. The management body is responsible for regularly reviewing and assessing the overall risk profile of the entity and the scale and complexity of its business services. This includes an evaluation of the risks associated with contractual arrangements for ICT services that are critical or important to the entity’s functions.

Where We Stand Today:

As of January 2024, the current status of the Digital Operational Resilience Act (DORA) in Luxembourg, particularly for Alternative Investment Fund Managers (AIFMs), is moving towards compliance with the newly established regulatory framework. The European Supervisory Authorities (EBA, EIOPA, and ESMA) have released the first set of final drafts of technical standards under DORA on 17 January 2024. These drafts have been sent to the European Commission for review and are expected to be adopted in the coming months. AIFMs and other financial entities are advised to begin or update their gap assessments based on this final draft set, as the requirements under these standards are expected to be fully met by 17 January 2025.

Additionally, the Commission de Surveillance du Secteur Financier (CSSF) has published the Circular 24/847 on 5 January 2024. This circular focuses on the Information and Communication Technology (ICT)-related incident reporting framework. It will take effect on 1 April 2024 for most supervised entities, but for Investment Fund Management Companies, including AIFMs, it will become applicable on 1 June 2024. This circular expands the coverage of ICT incidents that need to be reported and introduces a three-stage notification process for these incidents, aligning with the future DORA reporting requirements

If you arrived until here, it means that you potentially enjoyed this article. I personally thank you and I invite you to subscribe to the newsletter. Also, feel free to get in contact and suggest any particular topic for the next release.

The views and opinions expressed in this article are my own and do not reflect the official policy, position, or opinions of any financial institution, or other organization.
The content of this article is based on personal research of the author and understanding of AML (Anti-Money Laundering) and compliance topics.