.svg)
The Dutch Authority for the Financial Markets (AFM) has said that some firms it supervises have a lot of work to do to prepare for the EU’s Digital Operational Resilience Act (DORA).
Firms have until January 17, 2025 to comply with DORA, and the race is undoubtedly on to get compliant.
DORA is a huge piece of regulation that stretches across the financial services sector, including pension funds, large banks, payments and e-money firms, and crypto-asset service providers.
Compliance expectations do not differ between different industries: small e-money institutions face the same expectations as well resourced, too-big-to-fail credit institutions.
During an interview with Vixio, a spokesperson for the Dutch AFM said that readiness for the mammoth regulation varies from firm to firm that it supervises.
They acknowledged that some firms demonstrate maturity in ICT risk management and that, overall, the regulator observes ongoing efforts among firms to align their current risk management practices with DORA's specific requirements.
“On the other hand, we also see firms that really need to speed up their efforts in order to become timely compliant,” the spokesperson cautioned.
Like other EU member states, the Netherlands has been preparing for the new DORA rules throughout 2023 and 2024.
In May, the Dutch Ministry of Finance began a public consultation on its draft implementation decision for the regulation.
The AFM, meanwhile, released guidance for applying DORA in March, aiming to assist financial entities in preparing for its 2025 implementation.
Addressing ICT risk
The regulator’s guidance emphasises, for example, ICT risk management, business continuity and employee training in ICT security and digital resilience.
“The digitalisation of the financial sector and the provision of products and services via online platforms are steadily growing,” said the AFM spokesperson. “As a result, the financial sector is becoming ever more dependent on IT in the provision of its services. IT risks such as cyber-attacks are therefore also increasing.”
The spokesperson pointed out that cyber-attacks can slow down or even shut down the provision of financial services. “That is why it is important that financial service providers take sufficient measures to be digitally resilient.”
“In general, there is an imbalance between the increasing IT threat and the development of this resilience,” the spokesperson said, talking up the opportunity DORA presents to improve this standard.
The AFM spokesperson told Vixio that firms need to clarify where they stand in terms of digital resilience and what steps they still need to take to comply with DORA requirements.
“Then the identified gaps need to be converted into an action plan,” they added. “This includes, among other things, adapting internal policies and procedures, strengthening IT risk control measures and evaluating contracts with third-party providers.”
Some areas require more attention than others
When it comes to payments firms, the Dutch authorities said that overall they felt that there was a mix of new and already existing requirements for compliance teams to adjust to with DORA.
For example, a spokesperson for the Dutch Central Bank (DNB) told Vixio that there are familiar elements, such as ICT risk management framework, IT risk control, incident management major incident reporting under PSD2, and cybersecurity testing that should already be in place, easing the transition.
However, they also pointed out that there are new requirements, including establishing a detailed register of information documenting the entire outsourcing chain and dependency on third-party ICT service providers.
“Third-party risk management in itself is not new, but there will be more obligations regarding the chain of outsourcing, and dependency on third-party ICT service providers,” the DNB spokesperson said.
In spite of the new compliance requirements, which will need to be fed into firms’ day-to-day work, the AFM spokesperson was positive about the impact that DORA will have on financial services in the Netherlands and further afield in the EU.
“The regulation brings further harmonisation of IT requirements for the financial sector to ensure resilience against cyber threats,” they said. “Improving digital resilience will reduce the potential impact on the provisions of digital financial services.”
According to the spokesperson, this will also increase customer confidence in the quality and security of these digital services. “In the longer term, this can further promote digital innovation in the financial sector.”
They added that two additional effects may contribute to the resilience of financial firms. “First, DORA is intended to improve the security of the supply chain, as it also includes a framework that will apply to the most critical ICT service providers for the financial sector.”
The second effect the spokesperson noted is that the regulation also has provisions on information exchanges, enabling financial firms to exchange information and intelligence on cyber threats and thereby further limit the risks.
Firms have until July 1 to respond to the Dutch Ministry of Finance’s consultation on DORA.
