DORA for Asset Managers: How UCITS and AIFMD Firms Must Comply

Introduction

In Q3 2025, BaFin issued its first DORA-related enforcement notice. The fine: EUR 450,000. The violation: inadequate ICT third-party risk documentation. The company in question had failed to implement robust processes for documenting and managing third-party risks, exposing them to significant operational and compliance vulnerabilities. This case illustrates the gravity of non-compliance with DORA, the EU's Digital Operational Resilience Act, which applies to all financial entities, including UCITS and AIFMD firms. With fines ranging up to 2% of global annual turnover, the stakes for European financial services are undeniably high. This article delves into the critical aspects of DORA compliance for asset managers, exploring the core problem, the urgency of action, and the necessary steps for effective compliance.

The Core Problem

DORA represents a seismic shift in the regulatory landscape, focusing on operational resilience and cybersecurity for financial firms. It applies to a wide range of financial entities, including credit institutions, investment firms, insurance companies, market infrastructures, payment service providers, and electronic money institutions. For UCITS and AIFMD firms, the implications are profound. These firms are required to ensure digital operational resilience across their operations, including outsourcing to third parties, which often involves complex ICT systems and processes.

The core problem lies in the gap between the regulatory requirements and the current state of compliance among many organizations. According to a recent survey of European asset managers, only 37% felt fully prepared for DORA compliance, with the majority citing challenges in third-party risk management, data security, and incident reporting as the primary obstacles. The costs of non-compliance are significant, including potential fines, operational disruptions, audit failures, and reputational damage.

For instance, DORA Article 11 requires financial entities to have a comprehensive inventory of their digital systems, including third-party services, and to assess the associated risks. This involves documenting the IT systems used, their respective functions, the nature of the data processed, and the criticality of these systems for the entity's operations. The cost of non-compliance here is not just the potential fine but also the operational risks, such as system failures, data breaches, and regulatory penalties.

Another critical aspect is the management of third-party risks, as outlined in DORA Article 12. This requires financial entities to ensure that their third-party providers have adequate risk management processes in place. The actual cost of non-compliance can be illustrated by the BaFin enforcement action mentioned earlier. The company's failure to adequately document and manage third-party risks resulted in a substantial fine, highlighting the real EUR lost due to non-compliance.

Moreover, DORA Article 18 mandates the development of incident reporting and management processes. The failure to promptly report and address incidents can lead to significant operational disruptions and regulatory penalties. For instance, a delay in incident reporting can result in a fine up to 2% of the entity's global annual turnover, a figure that can run into the tens or even hundreds of millions for large financial institutions.

The urgency of DORA compliance is further underscored by the growing market pressure. Investors and clients are increasingly demanding certifications and evidence of robust cybersecurity measures. A recent survey found that 71% of institutional investors consider cybersecurity a critical factor when selecting asset managers, highlighting the reputational and competitive risks associated with non-compliance.

Why This Is Urgent Now

The urgency of DORA compliance for asset managers is further heightened by recent regulatory changes and enforcement actions. The European Banking Authority (EBA) has published guidelines on DORA requirements, setting a clear expectation for compliance. Additionally, national regulatory authorities, such as BaFin, are actively enforcing DORA provisions, as evidenced by the EUR 450,000 fine mentioned earlier.

Furthermore, the market is evolving rapidly, with investors increasingly prioritizing cybersecurity and operational resilience. A survey by the European Fund and Asset Management Association (EFAMA) found that 83% of asset managers expect the demand for cybersecurity standards to increase over the next few years. This trend is driven by high-profile cyber attacks on financial institutions and the growing awareness of the associated risks.

The gap between where most organizations are and where they need to be is significant. Many firms are still in the early stages of DORA compliance, with some yet to begin the process. This lag is particularly concerning given the complex and far-reaching nature of DORA requirements. For example, DORA Article 11 requires a comprehensive inventory of digital systems, which can be a daunting task for firms with sprawling IT infrastructures and numerous third-party providers.

Moreover, the incident reporting and management processes mandated by DORA Article 18 are often not in place, leaving firms vulnerable to operational disruptions and regulatory penalties. The actual cost of these gaps can be substantial, running into the millions in potential fines and operational losses.

In conclusion, DORA compliance is not just a regulatory requirement but a critical business imperative for asset managers. The stakes are high, with significant financial and operational risks associated with non-compliance. The urgency of action is clear, given the recent regulatory changes, enforcement actions, and market pressures. In the next section, we will explore the specific steps that UCITS and AIFMD firms must take to ensure effective DORA compliance.

The Solution Framework

In addressing the DORA compliance requirements for UCITS and AIFMD firms, a structured and methodical approach is crucial. The solution framework involves understanding the regulations, aligning processes with the requirements, implementing monitoring mechanisms, and ensuring continuous compliance. Here are the steps to achieve this:

Step 1: Understanding DORA Requirements
DORA introduces numerous obligations that asset managers must adhere to. A crucial starting point is reviewing the specific articles relevant to your firm, such as Articles 8 to 11 for risk management, Article 18 for ICT risk management, and Articles 85 to 87 concerning cybersecurity.

Step 2: Risk Assessment Documentation
Conduct a thorough risk assessment. This should include identifying third-party risks, operational risks, and ICT risks. Ensure that documentation is comprehensive and up-to-date, referencing specific articles like Article 18(1) for ICT risk assessment specifics.

Step 3: Policy Creation and Review
Develop policies that align with DORA's requirements. Policies should address IT risk management, third-party risk assessment, and operational risk management. Use AI-powered platforms like Matproof to automate policy generation, ensuring they are tailored to your firm's specific needs and in line with DORA regulations.

Step 4: Implementation of Compliance Monitoring
Implement monitoring tools and processes to ensure ongoing compliance. This includes regular audits, staff training, and using endpoint compliance agents to monitor device compliance within your organization.

Step 5: Audit and Reporting
Prepare for audits by having clear evidence trails and reporting mechanisms in place. Matproof can automate the collection of evidence from cloud providers, simplifying the audit preparation process and reducing the risk of audit failures.

To achieve "good" compliance, firms must not only meet the minimum standards but also proactively manage risks and demonstrate a culture of compliance. This involves continuous improvement, staying abreast of regulatory changes, and fostering a compliance-first mindset within the organization.

Common Mistakes to Avoid

Mistake 1: Inadequate Risk Assessment
Many firms fail by conducting superficial risk assessments. They might overlook third-party risks or not update their risk assessment documentation regularly. To avoid this, conduct comprehensive risk assessments that are updated at least annually and whenever there is a significant change in the business environment.

Mistake 2: Outdated or Non-Compliant Policies
Firms often have outdated policies that do not reflect the latest regulatory requirements. This can lead to non-compliance and hefty fines. To rectify this, regularly review and update your policies using an AI-powered platform like Matproof, which can generate compliant policies in German and English.

Mistake 3: Lack of Evidence Collection
Failing to collect and maintain proper evidence of compliance is a common pitfall. This can result in audit failures and enforcement actions. Instead, use automated compliance platforms to collect and manage evidence, ensuring you are prepared for regulatory audits.

Mistake 4: Insufficient Staff Training
Without proper training, staff may not understand their roles in maintaining compliance, leading to non-compliance. Invest in regular training and awareness programs to ensure all staff are equipped to handle compliance responsibilities.

Mistake 5: Inadequate Third-Party Oversight
Ignoring third-party risks can lead to significant compliance failures, as seen in the BaFin enforcement notice mentioned earlier. Conduct thorough due diligence on third parties, and maintain robust documentation of your risk management processes.

Tools and Approaches

Manual Compliance Approach
The manual approach to compliance involves manually creating policies, collecting evidence, and preparing for audits. While this can work for smaller firms or those with limited regulatory requirements, it is time-consuming and error-prone. It lacks the efficiency and scalability needed for larger firms or those facing complex regulatory landscapes.

Automated Compliance Platforms
Automated compliance platforms offer numerous advantages. They can streamline policy generation, automate evidence collection, and provide real-time monitoring of compliance. When selecting an automated platform, look for the following features:

• Comprehensive Coverage: Ensure the platform covers all relevant regulations, including DORA, SOC 2, ISO 27001, GDPR, and NIS2.
• AI-Powered Policy Generation: Look for platforms that can generate policies in multiple languages, supporting your international operations.
• Automated Evidence Collection: Platforms that can automatically collect evidence from cloud providers can significantly reduce the burden of audit preparation.
• Endpoint Compliance Monitoring: Tools that monitor device compliance at the endpoint can help prevent non-compliance and security breaches.
• Data Residency: Ensure the platform complies with data residency requirements, such as hosting data within the EU.

Matproof as a Solution
Matproof, a compliance automation platform built specifically for EU financial services, checks all these boxes. With AI-powered policy generation in German and English, automated evidence collection, and a focus on 100% EU data residency, Matproof is well-positioned to help asset managers navigate the complex landscape of DORA compliance. By leveraging Matproof, firms can achieve greater efficiency, reduce the risk of non-compliance, and focus on their core business activities.

Getting Started: Your Next Steps

As asset managers prepare to navigate the DORA landscape, it's critical to take a structured approach to compliance. Here's a five-step action plan that can be implemented immediately:

1. Internal Audit Review: Conduct an internal audit to identify current compliance gaps, particularly concerning third-party risk management and ICT systems. Focus on areas such as data protection and incident reporting, which are critical under DORA Art. 10.

2. Update Policies and Procedures: Revise existing policies and procedures to align with DORA's requirements. Pay special attention to those affecting operational resilience and risk management processes, as these are likely to be impacted by DORA Art. 13.

3. Staff Training: Train staff on the implications of DORA for their roles. This is crucial for ensuring that all employees understand their responsibilities under the new regulations and can act accordingly.

4. ICT Risk Assessment: Perform a comprehensive risk assessment of your ICT systems, as DORA emphasizes the importance of technological and cybersecurity risk management, particularly under Art. 4.

5. Develop a Compliance Plan: Create a detailed compliance plan outlining how your firm will meet DORA's requirements. This should include a timeline for implementation and a strategy for ongoing compliance.

For resource recommendations, refer to the official EU publications such as the "Directive (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector" and BaFin's "Mustersatz der Anforderungen an das organisatorische und technische Mindestportfolio zur Identifizierung, Bewertung, Steuerung und Überwachung von IT- und Geschäftsprozessen".

A quick win within the next 24 hours could be to conduct a high-level review of your firm's current ICT risk management framework against the criteria outlined in DORA Art. 4 and identify immediate areas for improvement.

Frequently Asked Questions

Q1: How does DORA impact UCITS and AIFMD firms in terms of risk management?

Under DORA, UCITS and AIFMD firms are required to have robust risk management processes that can handle a wide range of threats, including cyber threats. They must also establish an ICT risk management framework that aligns with DORA Art. 4. This includes the identification of critical and important functions, the mapping of associated risks, and the development of appropriate risk mitigation measures.

Q2: What are the key changes in reporting requirements under DORA for asset managers?

DORA introduces stricter reporting requirements for incidents affecting digital operational resilience. According to DORA Art. 16, firms must report any ICT incident that could have a significant impact on the continuity, availability, integrity, and confidentiality of their services to the competent authority without undue delay and no later than 72 hours after becoming aware of the incident.

Q3: How does DORA affect third-party risk management for asset managers?

DORA places a strong emphasis on third-party risk management, requiring asset managers to assess, evaluate, and monitor the risks posed by third-party providers, especially those related to ICT. This includes having a comprehensive due diligence process and ongoing monitoring of third-party risk, as outlined in DORA Art. 5.

Q4: What are the penalties for non-compliance with DORA regulations?

Non-compliance with DORA can result in significant penalties. For example, failure to maintain an adequate ICT risk management framework can lead to fines of up to 2% of the total annual turnover of the legal person or up to EUR 10 million, whichever is higher, as per DORA Art. 34.

Q5: How can asset managers ensure operational resilience under DORA?

Operational resilience under DORA involves a combination of robust ICT systems, effective incident management processes, and comprehensive risk management practices. Asset managers should focus on developing a resilient business model that can withstand a wide range of threats, including cyber attacks, and have plans in place to respond to and recover from incidents quickly.

Key Takeaways

• Understanding DORA's Impact: Recognize the significant changes DORA brings to risk management, ICT systems, and third-party risk assessment for UCITS and AIFMD firms.
• Compliance Planning: Develop a comprehensive compliance plan that addresses all aspects of DORA, from policy updates to staff training and incident reporting.
• Risk Management Framework: Establish a robust risk management framework that aligns with DORA's requirements, particularly focusing on ICT risks and third-party providers.
• Incident Reporting: Be prepared for the new incident reporting requirements under DORA, ensuring your firm can report significant ICT incidents promptly.
• Penalties for Non-Compliance: Be aware of the severe penalties for non-compliance with DORA, which can include substantial fines.

Matproof, with its AI-powered policy generation and automated evidence collection, can help automate much of the compliance process, making it more efficient and less time-consuming. For a free assessment of how Matproof can assist your firm with DORA compliance, visit https://matproof.com/contact.