DORA: BVI criticises high effort

With the DORA Regulation (Digital Operational Resilience Act), the EU Commission aims to create a uniform framework for comprehensive risk management for cyber security and information and communication technology (ICT) in the financial markets. The Joint Committee of ESAs published proposals for further measures in June 2023.

Commenting on the overall package of consultations, Peggy Steffen, Head of Risk at the German Investment Funds Association BVI, says:

"The proposals of the EU authorities will create immense amounts of bureaucratic work, as they would establish a disproportionately high implementation and monitoring effort for the non-critical ICT structure of asset managers. Above all, it is not appropriate to copy the requirements that the EBA has already developed for banks and their critical infrastructures one-to-one to all financial companies. Rather, the proportionality principle set out in the DORA regulation should also be reflected in the Level 2 measures. To this end, the principles set out by ESMA in its guidelines on cloud outsourcing for asset managers and investment firms should also be adequately taken into account in the proposals."

You can find our detailed demands in our statements

• on the ICT risk management framework 
• on criteria for classifying ICT-related security incidents 
• on the internal policy for the use of ICT services supporting critical and important functions 
• on the register containing information on contracts with ICT third-party service providers.