Banking & Fintech /

PFSA’s stance on the implementation of DORA by investment fund companies and managers of alternative investment companies (AIFMs)

On 7 February 2025, the Polish Financial Supervision Authority (PFSA) issued a statement regarding the application of the DORA Regulation by investment fund companies and managers of alternative investment companies. The new regulations introduce several obligations for these entities concerning digital resilience and ICT risk management.

Investment fund companies and managers of alternative investment companies must adhere to the DORA Regulation concerning ICT risk management, particularly when entering into contracts with external service providers. These regulations aim to ensure the operational digital resilience of financial institutions and encompass key aspects of network and IT security. DORA applies irrespective of whether national investment fund regulations impose direct obligations in this area.

DORA applies irrespective of whether national investment fund regulations impose direct obligations in this area.

What changes does the DORA Regulation introduce?

DORA establishes uniform requirements for digital resilience for financial entities, including investment funds and alternative investment companies. These regulations encompass:

  • managers of alternative investment funds,
  • management companies in line with the UCITS Directive.

These entities must comply with specific IT security standards as part of their operations and implement mechanisms to manage risks arising from ICT services.

New responsibilities in ICT risk management

Fund managers must adopt a comprehensive ICT risk management framework encompassing incident monitoring, system resilience testing, and suitable contingency procedures. Special attention should be given to collaboration with transfer agents and other technology providers that deliver services essential to the functioning of the funds. Stringent risk management standards are necessary to guarantee the seamless operation of the funds and adherence to EU regulations.

As stated in the position published by the PFSA, investment fund companies and managers of alternative investment companies are required to:

  • Ensure the security of the networks and IT systems supporting the funds,
  • Monitor and report cyber incidents,
  • Manage risks associated with external ICT service providers,
  • Test digital resilience and implement contingency mechanisms.

As stated in the position published by the PFSA, investment fund companies and managers of alternative investment firms are required to: Ensure the security of the networks and IT systems supporting the funds, Monitor and report cyber incidents, Manage risks associated with external ICT service providers, Test digital resilience and implement contingency mechanisms.

Serious Consequences of non-compliance

Failure to comply with the DORA can result in serious repercussions, including financial penalties and restrictions on business activities. Therefore, fund managers ought to audit their ICT systems, review contracts with suppliers, and implement robust mechanisms to safeguard against cyber threats. Adherence to the new regulations is vital for the stability and security of the financial sector.

If you need support in complying with the new regulations, feel free to contact us.

Author team leader DKP Legal Jacek Szczytko
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Jacek Szczytko

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services