nexalign

Branche · Asset Management & Wealth

DecisionOS for Asset Management and Wealth Management

Asset Management has been in direct DORA scope since January 2025: AIFMs, UCITS management companies, investment firms, depositaries and in many configurations family offices with MiFID-licensed services. Add MaRisk (KaMaRisk for investment management companies), KAGB and MiFID II. IT decisions on PMS, OMS, EMS, risk tooling or reporting platforms must serve all axes simultaneously.

TL;DR

Asset managers are direct DORA addressees. Tool selection must satisfy Art. 28-30.

Regulatorik im Überblick

DORAMaRisk / KaMaRiskKAGBAIFMDUCITSMiFID IIMiCANIS2GDPR

Regulatory context

DORA applies since 17 January 2025. Asset managers with AIFM, UCITS or MiFID licences are direct addressees. Exemptions exist for small managers below AIFMD thresholds.

MaRisk / KaMaRisk set the German governance baseline. For ICT aspects, DORA largely supersedes from 2025.

KAGB transposes AIFMD into German law. MiFID II covers investment services.

Crypto-asset relevance adds MiCA and MiCA-DORA interactions.

Typische Entscheidungen

EDR / XDR selection

IAM / IGA / PAM

Sovereign cloud migration

DORA readiness programme

SIEM/SOC selection

Backup and DR

Dealbreaker (nicht verhandelbar)

  • DORA Art. 30 mandatory clauses in every ICT contract

    Critical functions require extended clauses (audit rights, sub-outsourcing, exit, incident reporting).

  • EU data residency with key custody

    Portfolio and client data are highly sensitive. Exclude US CLOUD Act exposure.

  • Concentration-risk steering

    DORA Art. 29 requires concentration-risk assessment for ICT third-party providers.

  • Audit trail and reporting capability

    BaFin and CSSF (LU) require the ICT register and mandatory reports.

Typical decisions

Portfolio Management System (PMS) including OMS and EMS integration.

Risk reporting platform with Solvency II or AIFMD reporting.

Cloud migration of mid- and back-office stacks with sovereign cloud options.

Vendor selection for custodian, fund accounting, fund administrator.

Where DecisionOS plugs in

Criteria mapped to DORA Art. 5 (framework) and Art. 28-30 (third party), dealbreakers as mandatory clauses, stakeholder alignment across CIO, CISO, CRO, Legal, Compliance, Board.

Hosting and data sovereignty

DecisionOS is hosted in Germany on Hetzner, EU-only data flow, Art. 28 GDPR data processing agreement. Suited as decision layer for DORA-bound tool procurement in asset management.

FAQ

Are all asset managers in scope of DORA?

AIFMs and UCITS management companies yes, with partially simplified duties for small AIFMs below AIFMD thresholds. MiFID-licensed investment firms yes. Family offices without MiFID licence typically not directly, but indirectly via supplier and custodian clauses.

What are the key DORA Art. 30 mandatory clauses for asset managers?

For critical or important functions: full audit rights (including for the supervisor), sub-outsourcing control, tested exit strategy with transition periods, incident reporting duties, supervisory cooperation. For normal functions: baseline clauses for SLA, data residency, audit rights.

How do DORA and MaRisk / KaMaRisk relate?

DORA sets a single EU framework. KaMaRisk remains relevant for governance, risk management, outsourcing, but is being adapted to DORA. In practice 2025-2026: both apply in parallel, conflict points clarified via BaFin guidance.

Demo buchen →Was ist DecisionOS?