ESMA_QA_2447
26/02/2025
View PDF View Excel
Subject Matter
direct agreements between AIF and ICT service provider
According to article 2 par 1 of DORA AIFM is in scope of DORA, AIF is not defined as financial entity. There are situations when agreement is concluded directly between AIF and ICT service provider. It is obvious that the agreement in such situation should contain elements listed in article 30 of DORA and the risk assessment should be performed by AIFM. But shall such agreement also be:
- included in the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers according to article 28 par 3 and
- notified to competent authority in a timely manner prior of the conclusion of the agreement if the agreement supports critical or important functions?
ESMA Answer
26-02-2025

DORA applies to managers of alternative investment funds according to Article 2, point (k) of DORA. Therefore, to the extent that ICT systems of an AIF are needed for the AIFM to comply with its obligations under AIFMD and DORA those systems should be covered. Hence, in general, contracts that are signed by the AIFM, no matter if for the AIFM or on behalf of the AIF, or are signed directly by the AIF should comply with DORA requirements and should be included in the register of information and be notified to competent authorities in a timely manner prior of the conclusion of the agreement, if the agreement supports critical or important functions.

Status: Answer Published

Additional Information

Level 1 Regulation
Regulation (EU) 2022/2554 - The Digital Operational Resilience Act (DORA)
Topic
ICT third-party risk management