ESMA_QA_2447
Status: ✅ Answer Published
Link to ESMA Q&A tool: https://www.esma.europa.eu/publications-data/questions-answers/2447
Regulatory Context
Regulation : DORA
Level 1 Regulation: Regulation (EU) 2022/2554 - The Digital Operational Resilience Act (DORA)
Level 2 Regulation: No information available
Level 3 Regulation: No information available
Topic: ICT third-party risk management
Subject Matter: direct agreements between AIF and ICT service provider
Question
Submission Date: 26 February 2025
According to article 2 par 1 of DORA AIFM is in scope of DORA, AIF is not defined as financial entity. There are situations when agreement is concluded directly between AIF and ICT service provider. It is obvious that the agreement in such situation should contain elements listed in article 30 of DORA and the risk assessment should be performed by AIFM. But shall such agreement also be:
- included in the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers according to article 28 par 3 and
- notified to competent authority in a timely manner prior of the conclusion of the agreement if the agreement supports critical or important functions?
ESMA Answer
Answer Date: 26-02-2025
DORA applies to managers of alternative investment funds according to Article 2, point (k) of DORA. Therefore, to the extent that ICT systems of an AIF are needed for the AIFM to comply with its obligations under AIFMD and DORA those systems should be covered. Hence, in general, contracts that are signed by the AIFM, no matter if for the AIFM or on behalf of the AIF, or are signed directly by the AIF should comply with DORA requirements and should be included in the register of information and be notified to competent authorities in a timely manner prior of the conclusion of the agreement, if the agreement supports critical or important functions.
This document was automatically extracted from the ESMA EMIR Q&A database.