DORA for the firms that run Europe's funds: protecting NAV integrity, valuation and the delegation chain.
UCITS management companies and authorised AIFMs are explicitly named as financial entities under Article 2 of DORA, so the full digital operational resilience framework applies to the firms managing Europe's collective investment vehicles. For asset managers the regulation is less about retail-facing systems and more about the engines that price, trade and report on funds: portfolio and order management systems, fund accounting and NAV calculation, market-data feeds and the long chain of delegates and outsourcers that sit behind them.
DORA reframes ICT risk as a board-level resilience obligation rather than an IT housekeeping task. ManCos and AIFMs must build a documented ICT risk-management framework, classify and report major ICT-related incidents, test their digital resilience, and contractually govern every ICT third-party dependency. Because asset management runs on delegation, the hardest part for most firms is mapping and overseeing the providers who actually operate critical functions on their behalf.
DORA applies to authorised UCITS management companies and AIFMs as financial entities under Article 2(1). Sub-threshold (registered, non-authorised) AIFMs that fall below the AIFMD Article 3 thresholds and have not opted in are generally outside DORA's direct scope, but firms must confirm their exact authorisation status because opting in or breaching a threshold pulls them in. In-scope managers may apply the proportionate, simplified ICT risk-management framework of Article 16 where they qualify as small and non-interconnected, but eligibility is conditional and must be evidenced, not assumed.
DORA sits on top of the AIFMD and UCITS delegation and outsourcing regimes rather than replacing them: where those directives govern the conduct, substance and liability of delegation, DORA governs the operational resilience of the ICT that underpins delegated and outsourced functions. This matters acutely for dependencies on depositaries, fund administrators, transfer agents and valuation/NAV providers, whose outages translate directly into delayed or mispriced NAVs. Firms should align their AIFMD/UCITS outsourcing inventories with the DORA Register of Information so a single dependency is not governed by two inconsistent contractual standards.
NAV calculation and the valuation function are core ICT-dependent processes whose failure produces direct, quantifiable investor harm. DORA expects documented availability, integrity and continuity controls around the pricing and fund-accounting chain, plus tested fallbacks for when the primary engine or its inputs fail. A late or incorrect NAV is the asset-management equivalent of a critical service outage.
Most ManCos and AIFMs delegate fund accounting, NAV production and investor register/TA functions to third parties, making those providers critical ICT dependencies under DORA. Each must appear in the Register of Information with appropriate contractual rights to information, audit, business continuity and exit. Concentration on a small number of large administrators is itself a resilience risk the firm must assess and document.
OMS/PMS, EMS and connectivity to brokers, trading venues and custodians are ICT systems supporting critical or important functions. Their unavailability can prevent dealing, settlement and rebalancing within required windows, so DORA requires resilience, monitoring and recovery objectives (RTO/RPO) calibrated to trading and settlement cutoffs rather than generic IT targets.
Pricing depends on continuous, accurate market-data and reference-data feeds from index, pricing and benchmark providers. DORA treats these data dependencies as ICT third-party services that must be inventoried, monitored for integrity and continuity, and backed by alternative sources or stale-data procedures so a feed outage does not silently corrupt valuations.
Asset managers operate against hard deadlines: NAV strike and publication, dealing cutoffs, and regulatory/investor reporting. DORA's continuity and incident-handling expectations should be mapped to these time-critical windows, because a resilience event that merely delays processing can still breach fund documentation, prospectus commitments and supervisory reporting obligations.
Delegation under AIFMD/UCITS frequently runs several layers deep, and subcontracted ICT (cloud, hosting, sub-administrators) can sit far from the manager's direct line of sight. DORA requires the firm to look through these chains, identify the ICT third-party services supporting critical or important functions, and retain accountability even where operation is delegated.
Everything tailored to your sector, ready to use on day one.
Yes if you are an authorised UCITS management company or an authorised AIFM, as both are named financial entities in Article 2 of DORA. Sub-threshold registered AIFMs that have not opted into full AIFMD authorisation are generally outside DORA's direct scope, but you should confirm your exact status, as opting in or exceeding the AIFMD thresholds brings you in. Self-managed funds and internally managed AIFs are treated as the relevant management entity for scoping.
Possibly. Article 16 of DORA offers a proportionate, simplified framework for entities that qualify as small and non-interconnected, which can include smaller ManCos and AIFMs. Eligibility is not automatic: you must assess and document that you meet the criteria, and you remain subject to incident reporting, third-party risk and other core obligations. Most mid-sized managers will not qualify and should plan for the full framework.
DORA layers on top of, rather than replaces, the AIFMD and UCITS delegation and outsourcing requirements. Those regimes still govern substance, conduct and liability of delegation, while DORA governs the operational resilience of the ICT underpinning delegated and outsourced functions. In practice you should reconcile your existing outsourcing arrangements with the DORA Register of Information and contractual requirements so a single provider is governed consistently.
To the extent the administrator delivers ICT services supporting a critical or important function, such as NAV production, fund accounting or the investor register, the associated ICT services fall within DORA's third-party risk regime. You must include the arrangement in your Register of Information and ensure the contract contains DORA's mandatory provisions on access, audit, business continuity, sub-outsourcing and exit. Where the administrator subcontracts ICT, you also need visibility into that chain.
They can be. A NAV calculation error, valuation outage or dealing disruption is an ICT-related incident, and if it meets DORA's major-incident classification thresholds it must be reported to your competent authority within the prescribed timelines. The assessment turns on factors such as the number of clients/funds affected, duration, data loss and economic impact, so you should pre-define which fund operations would cross those thresholds.
DORA has applied since 17 January 2025, so the framework is already in force and supervisors expect demonstrable compliance now. Practical starting points are completing your Register of Information, mapping ICT dependencies behind NAV, dealing and reporting, remediating third-party contracts for the mandatory DORA clauses, and establishing incident classification and digital resilience testing. Prioritise the providers supporting critical or important fund functions.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.