Navigating DORA: key February 2025 updates for fund service providers

The Central Bank of Ireland (CBI) and joint European Supervisory Authorities (ESA) have recently issued clarifications on DORA which will be of interest to fund service providers.

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and is applicable since 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms, ensuring that the financial sector in Europe stays resilient in the event of a severe operational disruption.

Now that DORA is fully effective, it is vital that financial entities in Europe are aware of their DORA obligations and that they take all necessary steps to close any compliance gaps. To assist financial entities in  understanding whether they are in scope for DORA and what obligations they might have, the Central Bank of Ireland and the ESAs (i.e., EIOPA, ESMA and EBA) have issued separate FAQs / Q&As on aspects and interpretations of DORA. 

The Central Bank of Ireland's updated DORA FAQ

On 17 December 2024, the CBI updated its DORA FAQ page to provide additional information that assist interpretation of certain sections of DORA. Of particular relevance to fund service providers is the question of "What entities are in scope of DORA?". The CBI has outlined what might bring a financial entity in scope for DORA, which will benefit fund depositaries and administrators as there has been some uncertainty as to what, if any, DORA obligations might apply to these entities.

Nonetheless, although not forming part of any published guidance, the CBI is indicating that financial entities which are not directly in scope for DORA should still use DORA as best practice for ICT risk management, complemented by three CBI Cross Industry guidance documents on IT & Cyber security risk management, Operational Resilience and Outsourcing.

The full DORA FAQ of the CBI is available here and is updated from time to time so should be monitored by financial entities.

The ESAs Joint DORA Q&A Register

On 22 January 2025, the ESAs Joint Q&A Register on DORA was updated to provide additional clarity on certain relative aspects. Of particular interest to fund service providers is whether DORA-regulated "financial entities" could also be considered as ICT third party service providers. 

In summary, where services are provided as part of a regulated financial activity these should not be considered as ICT services under DORA. Therefore, it should be assessed whether:

1. the services constitute an ICT service under DORA
2. whether the providing financial entities and the financial services they provide are regulated under European Union law or any national legislation of a Member State or of a third country

Where the services are unrelated or independent to the regulated financial service, the services should be considered as ICT services for the purposes of DORA. 

Although there has been some uncertainty among fund service providers leading up to the DORA application date, this newfound clarity is beneficial. For Irish financial entities, it is worth noting that the CBI has already stated in its own DORA FAQs that it will align its approach with this interpretation so they can act accordingly.

The full register of Joint Q&As on DORA from the ESAs is available here and it is updated on an ongoing basis so should be monitored by financial entities.

Does DORA apply to non-EU AIFMs?

Unfortunately since it was not directly considered in the above updates from the CBI and the ESAs, there still remains uncertainty around the status of non-EU AIFMs managing EU AIFs with respect to DORA, in terms of whether or not it applies given the nexus to DORA for "financial entities" typically requires such entities to be subject to supervision by an EU regulator. With non-EU AIFMs managing EU AIFs there is no EU regulator directly responsible for prudential supervision of the AIFMs, which has lead to questions as to whether DORA should be applied to such entities at all. It is hoped that specific guidance will be provided by the ESAs/CBI on this particular question at some point but in the meantime each non-EU AIFM will have to obtain specific advice on the applicability of DORA to their own particular situation.

How Ogier can help

Ogier can assist you in navigating your DORA obligations and ensuring compliance. For personalised advice, please contact our team via their contact details below.

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice