AFM draws attention to preparation for DORA

On 20 July 2023, the Dutch Authority for the Financial Markets (‘AFM’) issued a publication with the aim of preparing the financial sector for the arrival of the Digital Operations Resilience Act (‘DORA’).

DORA concerns a package of European legislation consisting of, inter alia, Regulation (EU) 2022/2554 (the ‘Regulation’) which aims to improve and strengthen the ICT and cyber resilience of the financial sector. As a result of increasing digitalisation, financial enterprises are becoming increasingly dependent on ICT services. Disruptions in the ICT chain may lead to problems in continuity and business operations, which in turn may create risks with regard to consumer protection and financial stability, among others. Up to now, the legal framework for ICT and cyber protection has mainly been established at a sectoral level and, as a result, has been fragmented. Therefore, DORA was adopted at a European level.

The Regulation will apply from 17 January 2025. To prepare the financial sector for DORA, the AFM has issued the publication ‘Well prepared for the arrival of DORA’ (the ‘Publication’). The Publication is the first edition of a collection that explains the substantive aspects of DORA.

Almost all regulated financial enterprises are affected by DORA, including at least Solvency II insurers and reinsurers. Insurance advisers and intermediaries, authorised agents and reinsurance intermediaries are only covered by the scope of DORA to the extent that they do not qualify as micro, small or medium-sized enterprises. In summary, this means that DORA does not apply if the company has less than 250 employees, an annual turnover of no more than €50 million and/or an annual balance sheet of no more than €43 million.

DORA contains a variety of obligations relating to ICT services, which DORA defines as digital and data services provided on a continuous basis via ICT systems to one or more internal or external users, including hardware and software services, excluding traditional analogue telephone services. In short, almost all conceivable digital and data services will be covered by the scope of DORA. The Regulation requires institutions falling within the scope of DORA to take risk-based measures in the context of, inter alia:

1. ICT risk management;
2. ICT-related incidents;
3. Testing of digital operational resilience;
4. Managing ICT risk from third-party providers.

DORA also provides minimum requirements for outsourcing agreements entered into by financial enterprises with ICT service providers.

A major part of DORA obligations is still being worked out in more detail through Regulatory Technical Standards (‘RTS’) and Implementing Technical Standards (‘ITS’). For each section, the Publication contains an overview of when these RTS and ITS will be submitted to the European Commission for adoption. In addition, for each of the main topics mentioned above, the Publication contains guidance that should enable financial enterprises to analyse where they stand on cybersecurity and what steps they still need to take to comply with the Regulation's obligations.

Contact

If you would like to know how your company can prepare for DORA and whether your outsourcing agreements need adjustment, please contact us. We would be happy to assist you.