The Digital Operational Resilience Act (DORA), coming into force in January 2025, marks a transformative step for financial entities within the European Union, including UCITS management companies. 

As the financial industry becomes increasingly digitised, the need to safeguard operations against technological disruptions has never been more critical.

From a risk perspective, DORA presents both challenges and opportunities for strengthening resilience in a dynamic regulatory landscape.

The scope of DORA

DORA establishes a comprehensive framework to ensure that financial institutions can withstand, respond to and recover from ICT (information and communication technology) disruptions. It applies to a wide range of entities, including UCITS funds, management companies and their critical third-party ICT service providers.

The regulation introduces requirements for:

1. ICT risk management: Proactively identifying, assessing and mitigating ICT risks.

2. Operational resilience testing: Conducting regularpenetration tests and disaster  recovery simulations.

3. Incident reporting: Establishing a standardised process for reporting major ICT-related incidents.

4. Third-party risk management: Ensuring robust oversight and risk assessments of outsourced ICT services.

Key risk considerations for UCITS managers

From a risk manager’s perspective, DORA raises several critical considerations:

Enhanced third-party risk management

The interconnected nature of financial services means that third-party service providers are often critical to operations. DORA mandates a rigorous oversight process to ensure providers meet operational resilience standards. This involves more than just initial due diligence − it requires continuous monitoring and the inclusion of contractual clauses that enable transparency and accountability.

As the saying goes, “A chain is only as strong as its weakest link”. In the context of DORA, a single point of failure within an ICT supply chain can undermine an entire operation.

Operational resilience testing

Regular and robust testing is a cornerstone of DORA. UCITS managers must implement advanced stress-testing techniques to simulate scenarios such as cyberattacks, system outages or data breaches. These tests will expose vulnerabilities, enabling pre-emptive measures.

Data governance and incident reporting

The regulation requires firms to report significant ICT-related incidents to the national competent authority within strict timelines. This necessitates the development of detailed incident response plans, backed by training and system enhancements to ensure compliance.

Cybersecurity preparedness

With an increasing threat landscape, DORA reinforces the importance of cybersecurity. Risk managers must collaborate with IT teams to ensure that robust cybersecurity frameworks are in place, incorporating threat intelligence, intrusion detection and employee training.

The opportunity side of DORA

While the compliance requirements may seem daunting, DORA offers an opportunity for UCITS managers to enhance their overall operational efficiency and investor trust. By adopting a proactive approach to ICT risk management, firms can position themselves as leaders in resilience, gaining a competitive edge.

A timely reminder

Risk management is about enhancing control over outcomes we can influence and limiting the impact of those we cannot. DORA encapsulates this by emphasising preparation and control in the face of uncertainty.

By now, financial entities within the scope of DORA should have conducted a readiness assessment to identify gaps in their ICT risk management framework.

Establishing a cross-functional task force, including IT, compliance and risk management teams, is crucial for overseeing DORA implementation.

Engagement with ICT service providers is also necessary to ensure compliance and alignment with DORA requirements.

It is essential to develop a culture of resilience by incorporating DORA principles into governance, training and day-to-day operations not only because it is mandated by regulation but because we truly believe in the benefits a robust ICT framework will bring to the entity’s overall governance.

Conclusion

DORA is more than a regulatory requirement; it is a wake-up call for financial institutions to embrace digital resilience as a strategic priority. For UCITS managers in Malta, the countdown to January 2025 should be seen as an opportunity to not only comply but thrive in an increasingly digital and interconnected financial landscape.Are you ready for the DORA era?

Reana Micallef is the lead risk manager at BOV Asset Management Ltd.

The author and the company have obtained the information contained in this article from sources they believe to be reliable, but they have not independently verified the information contained herein and therefore its accuracy cannot be guaranteed. The author and the company make no guarantees, representations, or warranties, and accept no responsibility or liability as to the accuracy or completeness of the information contained in this article. The author and the company have no obligation to update, modify or amend the article, or to otherwise notify readers thereof if any matter stated therein, or any opinion, projection, forecast, or estimate set for the herein changes or subsequently becomes inaccurate. The value of investments may go down as well as up. If one invests in a product, they may potentially lose some or all of the money they invest. BOV Asset Management Ltd is licensed to conduct investment services in Malta under the Investment Services Act by the Malta Financial Services Authority.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.