DORA Compliance: What Your Hedge Fund's IT Provider Must Deliver

The Digital Operational Resilience Act (DORA) is now fully enforceable across the EU and has direct implications for UK-based hedge funds that operate in European markets or manage EU-domiciled funds. If your IT provider cannot articulate exactly how they support your DORA obligations, that is a red flag you cannot afford to ignore.

What DORA Actually Requires

DORA is not a vague set of principles. It is a prescriptive regulation with five concrete pillars that financial entities must address:

1. ICT risk management — a documented framework for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents.
2. Incident reporting — standardised reporting of major ICT-related incidents to competent authorities within strict timeframes.
3. Digital operational resilience testing — regular testing including threat-led penetration testing (TLPT) for systemically important firms.
4. ICT third-party risk management — oversight and due diligence of all ICT service providers, including your MSP.
5. Information sharing — voluntary arrangements to exchange cyber threat intelligence between financial entities.

For hedge funds, pillar four is where most friction occurs. Your MSP is now a regulated third-party ICT provider, and you are responsible for managing that relationship formally.

What Your IT Provider Must Demonstrate

Documented Service Resilience

Your provider should maintain and share documentation covering their own business continuity plans, disaster recovery procedures, and incident response playbooks. Under DORA Article 28, you need contractual assurances that cover availability targets, data location, subcontracting chains, and audit rights.

If your current provider cannot produce these documents on request, they are not DORA-ready.

Defined Incident Response and Reporting

DORA requires major ICT incidents to be reported to your national competent authority within four hours of classification. Your IT provider must have monitoring systems that detect incidents in real time and an escalation process that feeds directly into your compliance workflow.

Ask your provider: what is the average time from incident detection to client notification? If they cannot answer with a number, that tells you everything.

Regular Resilience Testing

Beyond standard vulnerability scanning, DORA expects scenario-based testing that simulates realistic threats. For larger funds subject to TLPT requirements, your IT provider should either deliver or facilitate red team exercises aligned with the TIBER-EU framework.

At minimum, every hedge fund should be running quarterly vulnerability assessments, annual penetration tests, and tabletop disaster recovery exercises. Your IT provider should be orchestrating all of this.

Concentration Risk Awareness

DORA explicitly addresses concentration risk — the danger of too many financial entities relying on the same ICT provider. While this primarily targets hyperscalers like AWS and Azure, it also means your fund should document its dependency map. Your MSP should help you maintain a register of all critical ICT providers, their subcontractors, and the jurisdictions in which data is processed.

Common Gaps We See in Hedge Fund IT

Having worked with hedge funds across London, we consistently find the same shortcomings when firms begin their DORA readiness assessments:

• No formal ICT risk register. Firms track investment risk meticulously but have no equivalent register for technology risks.
• No third-party oversight process. The relationship with the IT provider is managed on trust rather than contractual SLAs with audit provisions.
• Backup testing is irregular or untested. Backups exist but have never been restored in a controlled test. Under DORA, untested backups are effectively non-existent.
• No incident classification framework. Without a clear taxonomy of what constitutes a “major” incident, firms cannot meet the reporting timelines.

A Practical DORA Readiness Checklist

Use this as a starting point for your next conversation with your IT provider:

• Can you provide your business continuity and disaster recovery documentation?
• What are your contractual SLAs for incident detection and notification?
• How do you manage and disclose your subcontracting chain?
• What resilience testing have you conducted in the last 12 months?
• Can you support our regulatory reporting obligations with structured incident data?
• Where is our data stored, and in which jurisdictions?
• What is your exit strategy if we need to transition away from your services?

If your provider struggles with any of these questions, it is time to evaluate alternatives.

How This Connects to FCA Expectations

Even before DORA, the FCA had been tightening its expectations around operational resilience. UK-authorised firms must already identify important business services, set impact tolerances, and test their ability to remain within those tolerances during disruption. DORA extends and formalises these requirements with a specific focus on ICT.

For dual-regulated funds operating across the UK and EU, the overlap between FCA operational resilience rules and DORA creates an opportunity to build a single, unified framework rather than maintaining parallel compliance programmes.

Next Steps

DORA compliance is not a one-off project. It is an ongoing operational discipline that requires your IT provider to be a genuine partner, not just a supplier.

At Nerdster, we work with hedge funds, private equity firms, and wealth managers across London to build IT environments that satisfy both FCA and DORA requirements. If you are unsure whether your current setup meets the standard, our free IT assessment will give you a clear picture of where you stand and what needs to change.