What does DORA mean for European Asset Managers

Jun 27, 2024

While Consumer Duty was a major focus for asset managers in 2024, a new regulation specifically impacting EU-based firms and those with financial ties to EU companies is set to be enforced in January 2025

DORA (Digital Operational Resilience Act) brings significant changes for European Asset Managers. And while the act still needs to be finalised, which is taking place on the 17th July 2024, Asset Managers are currently within scope of the regulation.

Here's a breakdown of the key implications:

Increased Focus on ICT Risk Management:

  • DORA mandates a robust Information and Communication Technology (ICT) risk management framework. Asset managers need to assess and mitigate vulnerabilities in their IT systems, data security, and communication processes.

 Enhanced Resilience Testing:

  • The regulation requires regular testing of critical business functions to ensure they can withstand disruptions caused by cyberattacks, technological failures, or other incidents. This includes testing incident response plans and recovery procedures.

Third-Party Risk Management:

  • DORA emphasises managing risks associated with third-party service providers. Asset managers must evaluate the resilience of their vendors and ensure they have robust cybersecurity practices in place.

Reporting and Oversight:

  • DORA introduces new reporting requirements for asset managers. They will need to report significant ICT incidents to regulators and demonstrate compliance with the regulation's provisions.

Management Body Involvement:

  • The regulation places greater responsibility on the management body of asset management firms. They need to actively oversee ICT risk management, incident response, and overall operational resilience.

Benefits for Asset Managers:

  • While DORA imposes new requirements, it can also benefit asset managers:


    • Improved cybersecurity posture protects client data and reduces the risk of financial losses.

    • Enhanced operational resilience safeguards business continuity and minimises disruption from incidents.

    • A strong compliance culture fosters trust with investors.

  • A robust vendor management system (VMS), linked to internal controls and processes, can significantly improve vendor risk identification, streamline administrative tasks, and help to mitigate uncertainty in the vendor management process.

Challenges and Considerations:

  • Implementing DORA compliance can be complex and resource-intensive, especially for smaller firms.

 There are a lot of great open source resources making their way to the market to assist with compliance such as CISO Assistant

  • Asset managers need to invest in technology, personnel, and processes to meet the new requirements.

When it comes to Vendor Management – Built for seamless integration with SharePoint and Azure, Vendifi empowers asset managers using Office 365 to centralise vendor information, streamline document management, and ensure perpetual access to all vendor communication – all within their familiar environment.

  • Staying updated on evolving regulations and best practices is crucial for ongoing compliance.

Overall, DORA represents a significant shift for European Asset Managers. By taking a proactive approach to compliance, firms can ensure a robust and resilient IT infrastructure, ultimately protecting their business and their clients' investments.