DNB provides guidance on how to prepare for DORA

In a previous alert, we reported on a publication by the Dutch Authority for the Financial Markets (‘AFM’) calling on the financial sector to prepare for the upcoming Digital Operational Resilience Act (‘DORA’). This Insurance Regulatory Alert focuses on a recent publication by the Dutch Central Bank (‘DNB’) with a similar call.

DORA

DORA aims to improve and strengthen the ICT and cyber resilience of the financial sector. DORA contains obligations relating to ICT risk management, ICT incidents, the management of risks when outsourcing to third parties, the exchange of information, and more. Almost all regulated financial enterprises are affected by DORA, including at least Solvency II insurers and reinsurers (other than limited risk insurers). Insurance advisers and intermediaries, authorised agents and reinsurance intermediaries are covered by the scope of DORA to the extent as they do not qualify as micro, small or medium-sized enterprises (as further defined in DORA).

DORA entered into force on 17 January 2023, but has an implementation period of 24 months. This means that financial enterprises subject to DORA have until 17 January 2025 to become compliant with DORA.

To date, only the so-called ‘level 1 legislation’ under DORA (consisting of a regulation and a directive) has been published in the final version. The underlying ‘level 2 legislation’ (being the Regulatory Technical Standards and Implementing Technical Standards) is not yet available in a final version. DNB stresses that the fact that the lower level 2 legislation is not final yet should not be an obstacle to start implementing DORA. Although the details and further elaboration of the main obligations as laid down in the level 1 legislation of DORA are contained in the level 2 legislation, according to DNB, this legislation will not contain any new topics compared to the current level 1 legislation.

Practical guidance

As part of the preparation for DORA, DNB provides some practical guidance that financial enterprises affected by DORA could already apply:

• Ensure that the current legal framework on ICT management is already complied with by using existing guidance from DNB and the European supervisory authorities. For completeness, we note that DNB indicates in its publication that it will soon publish a new version of the ‘Good Practice Information Security’.
• Bring the level of knowledge of directors and internal supervisors regarding ICT risk management to a minimum level and keep it up to date.
• Evaluate the current level of knowledge of directors and internal supervisors regarding ICT risk management, as well as evaluate already existing ICT-related documentation and processes.
• Conduct a gap analysis (comparing already existing and new obligations) based on the DORA level 1 legislation with an activity plan. This gap analysis can later be refined based on the final lower DORA legislation.
• Engage with ICT service providers on tightening legal requirements for contracting, risk assessment and monitoring.
• Agree with ICT service providers for services critical to financial services (so-called ‘critical third-party provider of ICT services’) on obtaining adequate so-called ‘assurance’ reports for the entire outsourcing chain.

DNB's publication can be found here.

Contact

If you want to know how your company can prepare for DORA, please reach out to us. We would be happy to assist you.