Asset Management | DORA Adopted in Norway: A Practical Guide to Implementation for Asset Managers

The Norwegian Parliament has adopted the Digital Operational Resilience Act (DORA), setting forth a new framework to ensure the security and continuous functionality of information and communication technology (ICT) within the financial sector. Alternative investment fund managers with full authorisation must now align their operations and governance practices with DORA’s prescriptive requirements. BAHR has previously provided an introduction to DORA, including which entities it applies to and its main requirements, which can be found here.

This newsletter will explain why DORA implementation is so critical for asset managers and provides a guide to practical steps for bringing internal processes into compliance. With digitalization reaching unprecedented levels and cyber threats becoming ever more sophisticated, DORA represents a landmark in how regulators approach ICT security.

Why implementation of DORA is important

Financial markets rely heavily on ICT for day-to-day operations, client communication, and the storage and transfer of large datasets. This reliance leaves firms vulnerable to sophisticated attacks exploiting any digital weakness, including misconfigured systems or insufficient employee vigilance against phishing and ransomware. According to a European Union Agency for Cybersecurity study from February 2025, distributed denial-of-service attacks, phishing, and ransomware remain central threats to Europe’s finance sector.

DORA seeks to ensure that ICT systems remain robust and resilient even during outages, cyberattacks, or unexpected overloads. When implemented properly, DORA can reduce the potential for data loss across critical networks, strengthen business continuity, and align oversight practices with a cohesive regulatory standard. Failing to comply with DORA can result in enforcement action by the Norwegian Financial Supervisory Authority (FSAN), including fines up to NOK50 million. Equally important, non-compliance heightens the risk exposure of asset managers’ operations and reputation, which poses a more serious risk to the business.

It is worth noting that some market actors are outside the scope of DORA and are thus not directly subject to the new framework. This is for example the case for alternative investment fund managers that are not fully authorised but solely registered (so-called sub-threshold managers). However, DORA provides new industry standards that can become a benchmark. Investors and other clients may request that benchmark to be met as they strive to reduce the risks for their data and business relationships. Many market participants may therefore choose to meet those new standards, simply because ICT resilience is integral to sustainable and competitive business operations.

Practical guidance on implementation for asset managers

The effective date of DORA is yet to be set, but based on a recent statement from the FSAN, DORA is likely to come into force within the next few weeks. Given the limited time remaining, asset managers should move forward with a structured plan for implementation, with key steps including:

Gap analysis

Begin with a gap analysis, mapping your existing ICT systems, network and internal documents against the DORA requirements. Parts of your existing framework might already align with DORA, however you will likely identify gaps, that are not yet DORA compliant and require action. Bear in mind that regardless of which tasks are outsourced, the asset manager remains ultimately responsible for adopting and maintaining DORA compliance.

Update internal policies and procedures

DORA sets forth prescriptive obligations regarding the types of policies and procedures that must be maintained either by way of updating existing or creating new ones (e.g., ICT asset management procedure, ICT asset management policy, ICT-related incident management policy). For some areas DORA even requires a policy (outlining principles) and a procedure (outlining more practical / technical elements) to be in place. In this stage, we recommend updating your internal policies and procedures, establishing / adjusting the reporting formats for periodic ICT reporting to the board, and testing and reviewing aspects of the business to ensure consistency of all compliance tools.

Update your internal governance framework

Establish clear responsibilities for key DORA elements, such as ICT risk management and operational resilience. Start on top, as DORA insists that boards and senior leaders understand and endorse a governance model that accurately reflects the regulation’s emphasis on oversight. Align internal structures so that accountability for ICT strategy, testing, and incident response is well-defined and traceable.

Review all third-party ICT contracts

DORA requires a review of all contracts with ICT service providers against a specific catalogue of provisions that need to be included in such contracts, including provisions relating to performance, incident handling, oversight, and specific termination rights. Given the centrality of outsourced arrangements to many financial businesses, this aspect is particularly important yet frequently underestimated.

Continuous monitoring and testing

Engage in continuous monitoring of all implementing measures and in frequent testing of ICT resilience. Collaborate with relevant ICT partners to set appropriate test parameters and methodologies, and document every step of the process.

BAHR’s opinion

The prescriptive nature of DORA may catch some asset managers off guard, especially those viewing ICT risk as a merely technical issue. The complexity of DORA and the resources required for its implementation should not be underestimated. DORA is, in fact, a wide-ranging legal regime embedded in multiple layers of regulation, including the DORA Regulation itself, the companion DORA Directive, and regulatory technical standards (RTS), implementing technical standards (ITS), guidelines, and Q&As from EU supervisory bodies. This means the practical requirements will evolve further as regulatory guidance matures.

The principle of proportionality stands as a central pillar in DORA’s practical implementation. Under DORA, asset managers must align their compliance measures with their size, overall risk profile, and the nature, scale, and complexity of their business. Competent authorities, in turn, shall be guided by that same principle when requesting reports and other oversight measures, ensuring that such obligations remain both appropriate and feasible. Successful DORA implementation hinges on close collaboration among IT, compliance, legal, and risk teams, with ongoing board engagement to ensure policies and procedures stay aligned with operational realities. Make sure to involve all relevant stakeholders in the implementation process from early on.

BAHR has been active in assisting asset managers with DORA since it came into force in the EU in January this year. We have prepared compliance checklists supporting the gap analysis and developed AI-driven solutions designed to streamline selected steps required for DORA compliance. For example, our tools can systematically review ICT service provider contracts to identify missing provisions and to document that you have properly engaged in a review process. This technology-enabled approach streamlines compliance efforts, helping asset managers to move from extensive manual checks to a more efficient compliance review.