PEI Group

DORA Statement

Effective Date: January 16, 2025.

Introduction and purpose

At PEI Group (PEI) we take regulatory compliance seriously. As providers of ICT services with financial entities in our client basis, we recognise the importance of aligning our operations with relevant legislation and industry-standards.

This statement addresses our view on the application of the Digital Operational Resilience Act (DORA) to our dealings with financial entities subject to DORA.

Applicability and role

While we expect our services to be key to support informed decision-making and fostering collaboration within the alternative investment community, PEI (or any ESA at this stage) does not consider they constitute critical ICT services. They are not either supporting critical or important functions of financial entities regulated under DORA.

We are not directly subject to the oversight requirements provided in the regulation. Our primary responsibility is to ensure adequate contractual arrangements are in place when providing our ICT services to financial entities covered by DORA. These arrangements are designed to guarantee the implementation of appropriate security measures within our organisation, aligning with the needs of our clients and supporting their compliance with the framework.

Although DORA does not directly apply to our services, we remain committed to implementing robust security measures and operational best practices to ensure reliability and resilience of our systems. We continue to prioritise the trust and confidence of our clients by adhering to high standards of performance and governance in all aspects of our business.

Regulatory background

DORA is a key component of the European Commission’s digital finance strategy, adopted in 2020. It establishes a harmonised regulatory framework to enhance the digital operational resilience of financial entities operating within the European Union (EU). The primary objective of DORA is to ensure that financial entities can effectively withstand, respond to and recover from ICT-related disruptions and threats, including cyber threats.

DORA applies to all authorised financial entities operating in the EU, subject to limited exceptions. It also covers ICT and ICT third-party risk management and creates an oversight framework for third-party ICT service providers deemed critical to the financial sector.

As a regulation, DORA is legally binding in all EU member states. It entered into force on 16 January 2023 and its provisions apply from 17 January 2025 following a 24-month implementation period.

Frequently Asked Questions

What does being an ICT third-party service provider mean for PEI in the context of DORA?

As an ICT third-party service provider to financial entities, our primary responsibility is to ensure adequate contractual arrangements are in place when providing our ICT services to financial entities covered by DORA. These arrangements are our undertaking that appropriate security measures are implemented within our organisation, aligning with the needs of our clients and supporting their compliance with the framework.

Why is PEI not considered a critical ICT service provider?

While we expect our services to be key to support informed decision-making and fostering collaboration within the alternative investment community, because of their characteristics, PEI (or any ESA at this stage) does not consider them to constitute critical ICT services or meet the criteria established under DORA to be designated as such.

Why are PEI’s services not supporting critical or important functions of financial entities?

Our services, while valuable by supporting financial entities with insights and data, are not designed to support functions that are critical to the core operations of financial entities. This means that if our services were disrupted, it would not materially impact the financial performance of a financial entity, disrupt the delivery of its essential services, or affect its ability to meet regulatory requirements. Therefore, we do not consider ourselves as supporting critical or important functions of our financial entities’ clients.

Does PEI adhere to operational resilience and security standards?

Yes, of course. Operational resilience and security standards are very important to us. Although DORA does not apply directly to our services, we remain committed to implementing robust security measures and operational best practices to ensure reliability, resilience and integrity of our systems. We continue to prioritise the trust and confidence of our clients by adhering to high standards of performance and governance in all aspects of our business.

How does PEI help financial entities comply with DORA?

PEI supports financial entities covered by DORA by maintaining service level standards as outlined in the Terms and Conditions when providing our ICT services to them. These Terms and Conditions are designed to guarantee the implementation of appropriate security measures within our organisation, aligning with the needs of our clients and supporting their compliance with the framework.

Will PEI conclude dedicated DORA agreements with individual clients/ users of ICT services provided by PEI?

In principle, we are unable to accept individual contractual amendments. To treat all clients equally, PEI is intended to provide a standard contract as a DORA-compliant solution.

Where can I find more information about PEI’s approach to DORA?

If you have additional questions or need further clarification, please feel free to contact us at datagovernanceoffice@pei.group. Our team will be happy to provide more information about our compliance approach and operational practices.