Dutch And German Regulators Release DORA Compliance Guidelines And Checklist

July 10, 2024
Financial institutions in the Netherlands and Germany have access to new resources to help them prepare for the Digital Operational Resilience Act (DORA), which comes into effect on January 17, 2025.

Financial institutions in the Netherlands and Germany have access to new resources to help them prepare for the Digital Operational Resilience Act (DORA), which comes into effect on January 17, 2025.

As the deadline approaches, both the Dutch Authority for the Financial Markets (AFM) and the German Federal Financial Supervisory Authority (BaFin) have released resources relating to the incoming EU regulation, which intends to enhance IT risk management and cyber resilience.

Their goal is to ensure that financial institutions across Europe are well-prepared to meet DORA's stringent requirements, ultimately enhancing the sector's resilience to cyber threats.

DORA mandates that financial organisations improve their management of IT risks to enhance resilience against cyber threats.

In recent months, legislation and guidance have been released in large quantities across the EU, not only by EU institutions such as the European Banking Authority, but also by a number of countries, including Slovakia, Slovenia, Luxembourg and European Economic Area (EEA) member Liechtenstein. 

Key findings from AFM's IT management survey

The AFM conducted extensive surveys of IT management practices to assess how well financial service providers, capital market entities and investment firms are managing their IT risks. 

The assessment identified ten critical DORA themes, giving organisations a focused framework to evaluate their readiness for the mammoth regulation. 

The regulator's continuous monitoring of the situation revealed that many financial institutions' control measures are not yet at a sufficient level, indicating significant preparatory work is needed before the DORA deadline. 

For example, it found that 81 percent of financial service providers (including payments and e-money firms and crypto-asset service providers), 58 percent of capital market parties and 42 percent of investment firms were not fully meeting the expected standards for ICT risk management.

In a recent interview with Vixio, the AFM acknowledged that although some firms it supervises show maturity in ICT risk management and are working to align with DORA, others need to expedite their efforts to comply. 

The regulator told us there is an imbalance between growing IT threats and current resilience levels, and said DORA is an opportunity for the financial services sector to enhance standards. 

It said firms must assess their digital resilience, identify gaps and develop action plans. This will include updating internal policies, strengthening IT risk controls and reviewing third-party contracts.

Areas for improvement

DORA aims to ensure financial firms can manage ICT risks effectively, enhancing their resilience to cyber threats and disruptions, and the AFM's findings highlight several areas needing improvement, including governance surrounding ICT risk management, ICT asset inventory and risk management of third-party providers.

Most organisations scored well on designing backup and recovery options, although DORA demands additional detailed requirements in this area.

The AFM's DORA checklist

To assist companies in achieving compliance, the AFM has developed a DORA checklist. 

This tool helps organisations identify their current standing in digital resilience and outlines the necessary steps to meet DORA's requirements. 

By using this checklist, companies can ensure they have the appropriate policies and procedures in place well before the regulation takes effect, the AFM said. 

BaFin releases DORA implementation guidelines

In parallel, BaFin has issued implementation guidelines for DORA. 

These guidelines address:

  • Governance and organisation.
  • Information risk and security management.
  • IT operations.
  • ICT business continuity management.
  • IT project management and application development.
  • ICT third-party risk management.
  • Operational information security.
  • Identity and rights management.

Although not mandatory, these guidelines provide valuable insights for companies supervised by BaFin, including those under the banking supervisory requirements for IT (BAIT) and the insurance supervisory requirements for IT (VAIT).

BaFin's guidelines result from extensive collaboration between industry representatives, the Deutsche Bundesbank and BaFin itself. 

Over 30 meetings, the working groups compared DORA requirements with BAIT and VAIT standards, identifying key differences and areas requiring action.

Read Vixio’s interview with the AFM about preparing for DORA here

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.