If you enjoy reading our articles and want to support our mission of sharing valuable insights on AML and investment funds, the easiest way to help is by subscribing to our Fundiligence newsletter.
For us it is very important, for you it is FREE.

The Digital Operational Resilience Act, adopted by the European Union in December 2021, requires full implementation by January 17, 2025. Developed in response to rising digital risks and the increasing dependence on technology within the financial sector, DORA aims to harmonize EU regulations on ICT risk management, incident reporting, resilience testing, and third-party risk management. This regulatory framework is designed to ensure that financial institutions can effectively manage and mitigate cyber threats, maintain continuity of critical operations, and protect the integrity of the financial system. In this article, we will discuss the principles of proportionality and due diligence, key components of DORA that guide financial entities in implementing these regulations according to the scale and complexity of their operations.

Assessing ICT-Related Dependencies

DORA introduces the principle of proportionality, a key concept that Compliance Officers must consider during the initial due diligence process. This principle mandates that

the assessment of ICT-related dependencies should be proportionate to the nature, scale, complexity, and importance of these dependencies to the AIFM’s operations. It ensures that the measures taken are appropriate to the level of risk posed by the ICT services in question.

Compliance Officers should evaluate the significance of ICT services to the AIFM’s operations. This evaluation includes understanding the role of these services in supporting critical or important functions and their impact on the entity’s overall operational resilience. The assessment should cover various dimensions, including the nature of services, scale of dependencies, complexity of arrangements, and the importance of functions. Understanding the specific ICT services provided and their relevance to the AIFM’s business processes is essential. Evaluating the extent to which the AIFM relies on these services and the potential impact of service disruptions is critical for assessing operational resilience. Analyzing the complexity of the contractual and operational arrangements with ICT service providers helps identify potential risks and areas that need careful management. Additionally, determining whether the services support functions that are critical or important to the AIFM’s ability to operate effectively is vital for ensuring the entity’s stability.

When dealing with ICT service providers in third countries, Compliance Officers must ensure compliance with EU data protection laws. This involves evaluating the effectiveness of data protection measures implemented by the provider and the robustness of law enforcement in the provider’s country. Ensuring compliance with data protection regulations is crucial for safeguarding sensitive information and maintaining regulatory compliance. By thoroughly assessing these factors, Compliance Officers can ensure that ICT services are effectively integrated into the AIFM’s operations while maintaining high standards of security and resilience.

Evaluating Substitutability and Dependency Risks

AIFMs must identify and assess the risks associated with ICT services that support critical or important functions, as outlined in Article 28(4), point (c) of DORA. This assessment should evaluate the risk of contracting with ICT third-party service providers who are not easily substitutable, as high dependency on a single provider can create vulnerabilities that are challenging to mitigate in the event of service disruption. Additionally, AIFMs should analyze the practice of having multiple contractual arrangements for critical ICT services with the same or closely connected providers, as this scenario could lead to a concentration of risk, which requires careful management to avoid potential disruptions.

Balancing Benefits and Costs

AIFMs must balance the benefits and costs of alternative solutions, such as engaging with different ICT service providers, to ensure alignment with the entity’s digital resilience strategy and suitability for meeting specific business needs and objectives. Factors to consider include weighing the financial costs of engaging with alternative providers against the potential risks and benefits, considering the impact on operational efficiency and continuity when switching or diversifying service providers, and evaluating how alternative solutions contribute to mitigating risks and enhancing operational resilience. The principle of proportionality ensures that the measures taken are aligned with the AIFM’s digital resilience strategy. Compliance Officers should ensure that this strategy is, addressing all aspects of ICT risk management and operational resilience.

AIFMs must balance the benefits and costs of alternative solutions, such as engaging with different ICT service providers, to ensure alignment with the entity’s digital resilience strategy and suitability for meeting specific business needs and objectives. Factors to consider include weighing the financial costs of engaging with alternative providers against the potential risks and benefits, considering the impact on operational efficiency and continuity when switching or diversifying service providers, and evaluating how alternative solutions contribute to mitigating risks and enhancing operational resilience. The principle of proportionality ensures that the measures taken are aligned with the AIFM’s digital resilience strategy. Compliance Officers should ensure that this strategy is , addressing all aspects of ICT risk management and operational resilience. This includes developing a robust framework for identifying, assessing, and managing ICT risks, conducting regular reviews of the digital resilience strategy to ensure it remains relevant and effective in the face of evolving risks, and engaging with key stakeholders, including senior management and the board of directors, to ensure alignment and support for the strategy. By adhering to the principle of proportionality and conducting thorough due diligence, Compliance Officers can ensure that AIFMs effectively manage ICT-related dependencies and enhance their operational resilience. This approach not only ensures compliance with DORA but also strengthens the overall digital resilience of the organization, safeguarding against potential disruptions and maintaining the continuity of critical functions.

Identifying and Mitigating Concentration Risks

One critical aspect of the proportionality principle is the identification and mitigation of concentration risks. AIFMs must be vigilant about the potential risks that arise from relying heavily on a single or a few closely connected ICT service providers, as concentration risks can significantly impact operational resilience, especially if the service provider faces disruptions.

To mitigate concentration risks, AIFMs should engage with multiple ICT service providers to spread the risk and avoid over-reliance on a single provider. This strategy ensures that if one provider fails, the AIFM can continue operations with minimal disruption. Developing and maintaining robust contingency plans is also essential. These plans should outline alternative arrangements in the event of service provider failures, including predefined actions and protocols to switch to backup providers or internal resources. Regular testing of these contingency plans is crucial to ensure their effectiveness and swift execution in case of a disruption. Testing helps identify potential weaknesses and areas for improvement. Additionally, AIFMs should include specific contractual safeguards that address concentration risks, such as clauses that mandate the provider to have its own contingency plans and the ability to provide timely support during disruptions.

By adhering to the principle of proportionality and conducting thorough due diligence, Compliance Officers can ensure that AIFMs effectively manage ICT-related dependencies and enhance their operational resilience. This approach not only ensures compliance with DORA but also strengthens the overall digital resilience of the organization, safeguarding against potential disruptions and maintaining the continuity of critical functions. Developing a robust framework for identifying, assessing, and managing ICT risks, conducting regular reviews of the digital resilience strategy to ensure it remains relevant and effective in the face of evolving risks, and engaging with key stakeholders, including senior management and the board of directors, are essential elements of this strategy.
In conclusion, the principle of proportionality and due diligence under DORA is essential for effective ICT third-party risk management. Compliance Officers will dedicate a considerable amount of time on assessing the nature, scale, complexity, and importance of ICT-related dependencies, ensuring compliance with data protection laws, evaluating substitutability and dependency risks, and balancing the benefits and costs of alternative solutions. This holistic strategy not only ensures regulatory compliance but also contributes to the long-term stability and security of the financial sector in Luxembourg.

If you arrived until here, it means that you potentially enjoyed this article. I personally thank you and I invite you to subscribe to the newsletter. Also, feel free to get in contact and suggest any particular topic for the next release.

The views and opinions expressed in this article are my own and do not reflect the official policy, position, or opinions of any financial institution, or other organization.
The content of this article is based on personal research of the author and understanding of AML (Anti-Money Laundering) and compliance topics.