DORA for Asset Managers and Investment Firms: Your Compliance Guide

If you manage investment funds or run an investment firm in the EU, DORA has added new compliance obligations to your already complex regulatory landscape. Unlike MiFID II or AIFMD, which focus on investor protection and fund governance, DORA targets something different: your operational resilience against ICT risks.

The challenge for asset managers isn't just understanding DORA—it's determining how it applies given the proportionality principle and whether you qualify for simplified requirements. This guide clarifies exactly what asset managers and investment firms need to know.

Which Asset Managers Are In Scope?

DORA applies to 20 types of financial entities. For the asset management sector, the following are explicitly included:

Fully In Scope

• MiFID investment firms — Any firm authorized under the Markets in Financial Instruments Directive providing investment services
• Alternative Investment Fund Managers (AIFMs) — Managers authorized under AIFMD, regardless of fund size
• UCITS management companies — Managers of UCITS funds under the UCITS Directive
• Managers of qualifying venture capital funds (EuVECA managers)
• Managers of qualifying social entrepreneurship funds (EuSEF managers)

Important Clarification

The funds themselves are typically not in scope—DORA applies to the manager, not the fund vehicle. A Luxembourg SICAV or Irish ICAV isn't directly subject to DORA, but the management company running it is.

Sub-Threshold AIFMs

There's a key exemption: AIFMs operating below the AIFMD thresholds (less than €100m assets under management, or less than €500m if no leverage and no redemption rights for 5 years) are exempt from DORA. However, if you're registered rather than fully authorized as an AIFM, check your local regulator's interpretation—some Member States require registration under national rules that may trigger DORA applicability.

The Proportionality Principle: Right-Sizing Your Compliance

DORA includes a powerful concept that asset managers must understand: proportionality. Article 4 states that requirements must be applied in a manner proportionate to:

• Your size and overall risk profile
• The nature, scale, and complexity of your services
• Your activities and operations

This isn't a vague principle—it has practical implications. A boutique investment firm with €50m AUM and 8 employees shouldn't implement the same ICT risk framework as BlackRock. Regulators recognize this.

What Proportionality Means in Practice

For Smaller Firms:

• Simpler governance structures (fewer committees, combined roles)
• Less frequent testing cycles for digital resilience
• Streamlined documentation requirements
• Focus on material ICT risks rather than exhaustive coverage

The Simplified ICT Risk Management Framework

DORA Article 16 introduces a genuinely lighter regime for certain entities. If you qualify, you can adopt a simplified ICT risk management framework instead of the full requirements under Articles 5-15.

Who Qualifies for the Simplified Framework?

1. Small and non-interconnected investment firms — Firms meeting the conditions in Article 12(1) of Regulation (EU) 2019/2033 (IFR)
2. Microenterprises — Firms with fewer than 10 employees and annual turnover/balance sheet under €2 million

What Does "Simplified" Actually Mean?

The simplified framework still requires you to identify and document ICT risks, maintain security of network and information systems, have incident detection and response capability, ensure business continuity, and manage ICT third-party risk. It just allows you to do so with proportionate complexity.

The Register of Information: Asset Manager Specifics

Regardless of whether you use the simplified framework, all asset managers must maintain the Register of Information documenting ICT third-party arrangements.

Typical ICT Services for Asset Managers

When building your register, consider all providers supporting your operations:

Core Systems

• Portfolio management systems (Bloomberg AIM, Charles River, Aladdin, SimCorp)
• Order management systems (OMS)
• Fund accounting and NAV calculation platforms
• Risk management systems

Market Data and Trading

• Market data providers (Bloomberg, Refinitiv)
• Trading platforms and execution venues
• FIX connectivity providers
• Order routing systems

Operations and Reporting

• Transfer agency systems
• Regulatory reporting platforms (AIFMD Annex IV, Form PF, CPO-PQR)
• Fund administrator systems
• Investor reporting portals

Infrastructure

• Cloud hosting (AWS, Azure, Google Cloud)
• Data center providers
• Cybersecurity services
• Disaster recovery providers

Communication

• Email and messaging systems
• Client portal platforms
• Video conferencing tools

Each of these requires documentation in your register with provider details, contract terms, criticality assessment, and data location information.

The Outsourcing Complexity

Asset managers often operate with extensive outsourcing—fund administration, transfer agency, custody, compliance monitoring, and more. DORA requires you to distinguish between:

1. ICT services — Technology services that support your operations
2. Financial services — Regulated services provided by other financial entities

A fund administrator providing NAV calculation is typically a financial service. But if they also host your investor portal or provide cybersecurity monitoring, those may be ICT services requiring register entries.

This distinction matters because ICT services require full documentation in the register, while financial services from other DORA-regulated entities may be treated differently.

The April 2025 Submission: Lessons for Asset Managers

The first Register of Information submission deadline was April 2025, when competent authorities collected data to designate Critical ICT Third-Party Providers. The experience revealed specific challenges for asset managers:

Common Issues Encountered

Delegation Chain Complexity

Many asset managers delegate portfolio management or use sub-advisors. If the delegate or sub-advisor uses ICT services that support your fund's operations, does that go in your register? The answer depends on whether you have a direct contractual relationship with the ICT provider. Focus on your direct ICT arrangements first.

LEI Requirements for Boutique Providers

Specialist asset management technology providers sometimes don't have LEIs. Unlike major cloud providers or data vendors, niche portfolio management system providers may need prompting to obtain one. Start this conversation early.

Multi-Jurisdiction Complications

Asset managers often operate across EU jurisdictions—a UK-authorized AIFM managing a Luxembourg fund with Irish UCITS feeders. Each entity may have separate DORA obligations. Ensure each regulated entity in your structure has its own register where required.

Incident Reporting: What Asset Managers Must Know

DORA requires reporting of major ICT-related incidents to your competent authority. For asset managers, this means:

What Constitutes a Reportable Incident?

Major ICT incidents affecting:

• Client data security or privacy
• Ability to execute trades or manage portfolios
• NAV calculation accuracy
• Regulatory reporting capabilities
• Investor communication channels

Timing Requirements

• Initial notification: Within 4 hours of classifying incident as major
• Intermediate report: Within 72 hours
• Final report: Within one month (or when incident is resolved)

Many asset managers have existing incident response procedures for operational issues. Review these to ensure they align with DORA's classification criteria and reporting timelines.

Digital Resilience Testing: Proportionate Approach

DORA requires digital operational resilience testing, including Threat-Led Penetration Testing (TLPT) for significant entities. Most asset managers won't need full TLPT, but should implement:

Baseline Testing Requirements

• Vulnerability assessments and scans
• Network security testing
• Open source analysis
• Physical security reviews where relevant
• Gap analysis against ICT risk management requirements

Who Needs TLPT?

Full TLPT requirements apply to entities identified by competent authorities based on systemic importance, critical functions for the financial system, and ICT risk profile.

Most boutique and mid-sized asset managers won't be designated for TLPT. However, you may choose to conduct proportionate penetration testing as good practice.

Timeline: What Asset Managers Should Do Now

DORA has applied since January 17, 2025. Here's how to prioritize if you're still building your compliance program:

Immediate Priorities

1. Confirm your scope status — Are you an authorized AIFM, UCITS ManCo, or MiFID firm? Do you qualify for exemptions or the simplified framework?
2. Inventory ICT arrangements — List every technology provider supporting your operations before worrying about templates
3. Request provider information — Start gathering LEIs, data processing locations, and subcontractor details now
4. Review existing outsourcing documentation — Your AIFMD or MiFID outsourcing registers may provide useful starting data

Medium-Term Actions

1. Build your Register of Information — Populate the 15 templates with accurate, validated data
2. Assess ICT risk management framework — Determine if your existing operational risk framework needs enhancement
3. Review incident response procedures — Align with DORA classification and reporting requirements
4. Document testing approach — Establish proportionate testing schedule

Common Mistakes Asset Managers Make

Mistake 1: Assuming AIFMD Outsourcing Covers DORA

Your AIFMD outsourcing register focuses on delegation of portfolio management and risk management functions. DORA's register covers all ICT third-party arrangements—a much broader scope. You can't simply reuse your AIFMD documentation.

Mistake 2: Ignoring "Internal" IT Systems

If you run on-premise servers or have internal IT staff, you still have ICT third-party arrangements—hardware vendors, software licenses, support contracts, and infrastructure providers. Don't assume "internal IT" means no register entries.

Mistake 3: Waiting for Industry Solutions

Some asset managers hoped industry utilities or administrator-provided solutions would handle DORA compliance. While service providers may offer support, the obligation remains with the regulated entity. You own your register.

Mistake 4: Over-Complicating Proportionality

Proportionality allows simpler approaches, but some firms waste time debating exactly how much simpler. Start with basic, practical implementations. Regulators prefer demonstrated effort over perfect documentation.

Conclusion: DORA Adds Requirements, But They're Manageable

Asset managers face genuine new compliance work under DORA. The Register of Information requires detailed documentation you may not have previously maintained. Incident reporting adds new timelines. ICT risk management expectations are now explicit regulation rather than best practice.

But the proportionality principle means this doesn't have to be overwhelming. Focus on:

• Understanding your scope and any simplified framework eligibility
• Building an accurate Register of Information for your direct ICT arrangements
• Implementing proportionate risk management and testing
• Aligning incident procedures with DORA requirements

The firms that struggled in the April 2025 submission were often those that underestimated the data collection effort. Give yourself time to gather accurate information, and validate before you submit.