AFM vraagt aandacht voor de voorbereiding op DORA

The Dutch Authority for the Financial Markets (AFM) is drawing attention to preparations for the Digital Operations Resilience Act (DORA). It has published a document explaining the substantive aspects of DORA. This publication *supports companies in assessing their state of cyber security and in determining the necessary steps to comply with the regulation.
The AFM remarks, that firms should start preparing for DORA as early as possible. DORA aims to bolster IT risk management and cybersecurity resilience in the financial sector. It introduces requirements in areas like IT risk management, IT incidents, resilience testing, and risk control in outsourcing. The regulation also enhances supply chain security and promotes information exchange on cyber threats among financial institutions.
Starting from January 2025, firms within the scope of the regulation must comply with its requirements.
The publication highlights five key areas:
1. ICT Risk Management
ICT risk management is a structured approach to identify and manage risks associated with information and communication technology. It involves creating governance and control frameworks, assigning ICT roles, and aligning with enterprise risk management practices. Effective ICT risk management also encompasses prevention, detection, and reactive measures to ensure digital resilience and stability in organizations.
2. ICT-Related Incidents
The need for robust ICT-related incident management is underscored. Firms are required to establish processes to detect and address incidents and to maintain records of past incidents for evaluation. Major IT incidents must be reported to supervisors, and criteria and templates for reporting are being developed. Organizations are encouraged to start working on incident detection processes and maintaining incident records.
3. Testing of Digital Operational Resilience
Regular testing of digital operational resilience is crucial for understanding and improving IT security. DORA mandates that firms create risk-oriented testing programs tailored to their risk profiles, including various test types like vulnerability scans and penetration tests. Microenterprises receive proportional exemptions from specific DORA articles related to this testing requirement.
4. Management of ICT Risk from Third-Party Providers
Organizations are required to incorporate third-party risk into their ICT risk management framework and establish a strategy for outsourcing, including IT services. DORA also specifies key elements for consideration in outsourcing agreements, such as service level agreements, exit strategies for critical outsourcing, and provisions for inspections or audits. Additionally, organizations are mandated to maintain a register of their existing outsourcing arrangements.
5. Governance and Organization
DORA places importance on governance and organization, requiring clear roles, an independent three-lines model, continuous process evaluation, and ongoing training for management board members. Organizations should work on establishing independent IT roles and regularly evaluating their IT structure.
Until January 2025, businesses have time to align with the regulation. Afterward, DORA will officially apply, and the AFM and DNB will oversee compliance. Some businesses may already have DORA-related requirements from existing laws and regulations.
The ESAs are currently elaborating certain topics in greater detail in regulatory and implementing technical standards (RTS and ITS), even though these issues have already been described in general in DORA.
The figure below gives an overview of the timeline for the development of the RTS and ITS.
Figure 1: DORA Level 2 timeline (RTS and ITS)