DORA Deadline Is Closer Than You Think, Dutch Central Bank Warns

July 18, 2024
Back
Financial institutions need to act now if they are to meet the January 17, 2025 deadline for the implementation of the Digital Operational Resilience Act (DORA), according to the Dutch Central Bank.

Financial institutions need to act now if they are to meet the January 17, 2025 deadline for the implementation of the Digital Operational Resilience Act (DORA), according to the Dutch Central Bank (DNB). 

According to the DNB’s annual survey, many institutions are significantly behind schedule, with a large number yet to begin crucial preparatory work, including assessing their digital resilience, identifying gaps and developing relevant action plans.

"January 17, 2025, is coming sooner than you think," the DNB cautioned. "The remaining time for implementation is short, and a lot of work remains to be done."

The survey reveals that numerous institutions are still in the process of performing a gap analysis for both DORA and its underlying regulatory technical standards, or even just making plans to do so.

The DNB has emphasised the critical importance of a thorough gap analysis, which is essential for identifying necessary adjustments in policy, processes, control measures and contracts with service providers.

The gap analysis is pivotal as it provides insights into the steps needed to comply with DORA. 

The DNB warns that addressing the identified gaps may require significant lead time, especially for complex adjustments. 

For instance, creating a comprehensive information register and ensuring that contracts with ICT service providers are DORA-compliant are tasks that often require extensive system adjustments and coordination across multiple teams.

One major challenge the DNB highlighted is the lack of an overarching overview within institutions. 

Centralising data from various administrative systems to maintain an accurate information register and ensuring compliance in contracts with both critical and non-critical ICT service providers are areas where many institutions are lagging, the regulator said. 

This process involves significant consultation with ICT service providers and may necessitate further tightening of monitoring procedures within outsourcing chains.

The importance of a structured approach

Despite these challenges, the survey found that some institutions have completed their gap analysis and begun implementing their compliance programmes. 

However, even these proactive entities face substantial work to address the identified gaps.

To ensure timely compliance, the DNB advises institutions to adopt a structured approach. 

This includes establishing a dedicated programme overseen by the board or management, with regular progress monitoring and reporting. 

The DNB underscores that such an approach is vital for a successful and timely implementation of DORA.

Managing ICT risk

The DNB’s intervention comes a week after the Netherlands Authority for the Financial Markets (AFM) released the results of its own DORA research. 

The AFM conducted extensive surveys of ICT management practices to assess how well financial service providers, capital market entities and investment firms are managing their IT risks. 

The assessment identified ten critical DORA themes, giving organisations a focused framework to evaluate their readiness for the regulation.

The AFM's continuous monitoring revealed that many financial institutions' control measures are not yet at a sufficient level, indicating significant preparatory work is needed before the DORA deadline. 

For instance, it found that 81 percent of financial service providers (including payments and e-money firms and crypto-asset service providers), 58 percent of capital market parties and 42 percent of investment firms were not fully meeting the expected standards for ICT risk management.

In a recent interview with Vixio, the AFM acknowledged that although some firms show maturity in ICT risk management and are working to align with DORA, others need to expedite their efforts to comply. 

The regulator noted an imbalance between growing IT threats and current resilience levels, stating that DORA is an opportunity for the financial services sector to enhance standards.

The AFM also echoed what the DNB has said, emphasising that firms must assess their digital resilience, identify gaps and develop action plans, which include updating internal policies, strengthening IT risk controls and reviewing third-party contracts.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
No items found.
No items found.