Infra One | DORA — do you need to care about digital operational resilience?

DORA sounds like a regulation for banks. But it affects your fund administrator — and that means it affects you. Here is what matters.

The Digital Operational Resilience Act became enforceable across the EU in January 2025. If you are a fund manager reading this and thinking "that is a banking regulation, it does not affect me" — you are partially right and importantly wrong.

DORA may not apply directly to your fund. But it almost certainly applies to your fund administrator, your custodian, and other critical service providers in your operational chain. And when your administrator's compliance becomes your problem, you need to understand what they should be doing.

What DORA is

DORA is an EU regulation that establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities. In plain language: it requires financial institutions to have robust IT systems, to be able to withstand cyber incidents, and to manage their dependence on third-party technology providers.

The regulation covers five main areas: ICT risk management frameworks, ICT-related incident reporting, digital operational resilience testing, third-party risk management for ICT service providers, and information sharing arrangements.

Who it applies to

DORA applies directly to a broad range of financial entities including banks, insurance companies, investment firms, fund managers, and — critically — their ICT third-party service providers. If your fund administrator processes investor data, manages financial records, or operates technology platforms on behalf of regulated funds, they are in scope.

For many emerging managers, the direct application of DORA to their fund depends on their regulatory status and jurisdiction. A sub-threshold AIFM may have reduced obligations. But even if your fund is not directly in scope, your administrator is — and their compliance posture directly affects your operational resilience.

What DORA requires

ICT risk management. A comprehensive framework for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents. This means documented policies, designated responsibility, regular risk assessments, and tested response procedures.

Incident reporting. Major ICT-related incidents must be reported to the relevant competent authority. This creates accountability and ensures that systemic risks are visible to regulators.

Resilience testing. Regular testing of ICT systems — including, for significant entities, threat-led penetration testing (TLPT). This goes beyond basic vulnerability scanning to simulate real-world attack scenarios.

Third-party risk management. Financial entities must assess and manage the risks arising from their dependence on ICT service providers. This includes contractual arrangements, exit strategies, and concentration risk monitoring.

Why smaller funds should care

The concern for smaller fund managers is not direct regulatory compliance — it is operational exposure. If your fund administrator suffers a cyber incident that disrupts their ability to process capital calls, produce reports, or maintain investor records, that is your problem. Your LPs do not care whether the failure was at your end or your administrator's end. They care that their capital call was late or their report was wrong.

What to ask your fund administrator

Five questions that will tell you a lot about your administrator's DORA readiness. Do you have a documented ICT risk management framework? What is your incident response procedure and what are your recovery time objectives? When was your last penetration test and what were the findings? How do you manage your own third-party ICT providers? What certifications do you hold (ISO 27001, SOC 2)?

How we handle this

We built Infra One's infrastructure with operational resilience as a design principle, not a compliance afterthought. Encrypted data at rest and in transit, multi-factor authentication, regular penetration testing, documented incident response procedures, and a risk management framework aligned with DORA's requirements. Because our platform is built on modern cloud infrastructure, we can implement and demonstrate security controls that legacy systems struggle to match.

If you have questions about operational resilience for your fund, book a call with our team.

DISCLOSURE: This communication is on behalf of Infra One GmbH ("Infra One"). This communication is for informational purposes only, and contains general information only. Infra One is not, by means of this communication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business or interests. Before making any decision or taking any action that may affect your business or interests, you should consult a qualified professional advisor. This communication is not intended as a recommendation, offer or solicitation for the purchase or sale of any security. Infra One does not assume any liability for reliance on the information provided herein. © 2026 Infra One GmbH All rights reserved. Reproduction prohibited.