Buenos días, me gustaría hacer dos consultas relacionadas con el reporte de incidentes:

En primer lugar, tras la publicación del segundo lote de RTS de DORA. En relación al RTS Final Report Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and Draft Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threats. Nos gustaría realizar dos consultas:
- Por una parte, se incluye, en el artículo 6 de los plazos de notificación para el reporte intermedio, las entidades financieras presentarán sin demora indebida un informe intermedio actualizado, en cualquier caso, cuando se hayan restablecido las actividades regulares. Por lo tanto, ¿se trata de un reporte obligatorio actualizar el informe intermedio bajo esa casuística?

- Por otro lado, en la RTS no se identifica a la autoridad competente a la que se debe de realizar los distintos reportes. En nuestro caso, España, tenemos como CSIRT de referencia INCIBE y también como autoridad competente BANCO DE ESPAÑA, ¿podríais comentarnos a quién es específico se deberían de realizar esos reportes, por favor?

En segundo lugar, aunque no se disponga de una relación estrecha con DORA, ha resultado también necesario Se elabora un informe semestral para la Autoridad Bancaria Europea (EBA) relacionado con los incidentes de ciberseguridad sufridos, con el propósito de llevar a cabo estudios estadísticos en el sector. ¿Podrías ayudarnos a confirmar si esta información es cierta y donde podríamos encontrar la referencia por favor?

Are AIFMs permitted to hold client money, taking into account also the wording of Article 6(4)(b)(ii) of the AIFMD?

Will the situation change in light of the legislative amendments introduced following the AIFMD Review (Directive 2024/927/EU)?

Are AIFMs allowed to delegate portfolio or risk management to non-supervised undertakings established outside of the EU?

Are internally managed AIFs and self-managed UCITS investment companies required to maintain initial capital and additional own funds, respectively, pursuant to Article 9 of AIFMD and Articles 7 and 29 of the UCITS Directive, that are kept separate from the collective investment undertaking’s assets, meaning that the initial capital and the additional own fund should not be included in the fund’s net asset value (NAV)?

As the manager of an Alternative Investment Fund (AIF), we provide specialized investment opportunities to professional investors such as pension funds, insurers, and banks within the EU. Consequently, both our firm and our investors fall within the scope of DORA.

Our investors can access their portfolios through an online portal operated by a third-party service provider (an ICT third-party service provider). We intend to establish a DORA addendum with this ICT third-party service provider to address this specific ICT service.

Several of our investors have inquired about DORA compliance in relation to their contractual relationship with us. While we are committed to ensuring the portal itself is compliant, we believe our core service – providing investment opportunities – does not constitute an ICT service under DORA. The online portal is merely a supplementary tool for accessing reports, not a fundamental part of our contractual obligations. This view is further supported by the fact that our agreements with investors only stipulate that we provide them with reports, without specifying the method of delivery.

Given these considerations, do you agree with our assessment that our services to investors do not fall under the definition of an ICT service as per DORA and that we, in respect of our investors, cannot be considered an ICT third-party service provider?