LogoRegulatory Alerts
2025-01-07

DORA Update 6: Outlook 2025

The Dutch Authority for the Financial Markets (AFM) issues its final DORA update to outline supervisory expectations and practical requirements for financial entities effective January 17, 2025. The document mandates the immediate preparation of the register of information and the reporting of serious ICT incidents within strict deadlines, while detailing the AFM's shift to ongoing supervision through targeted investigations and portal-based reporting. It further explains the upcoming Threat-Led Penetration Testing (TLPT) regime and the assessment of ICT risk knowledge for directors during licensing procedures.

Autoriteit Financiele Markten logo

Netherlands

Autoriteit Financiele Markten

Click to view thumbnail

DORA UPDATE 6

JANUARY 2025

1. Introduction

DORA aims to ensure that financial entities better manage ICT risks and thereby become more resilient against cyber threats and ICT disruptions. To this end, the regulation describes various requirements in the field of ICT. To comply with DORA by January 17, 2025, it is important to complete the implementation of the DORA requirements as soon as possible.

DORA becomes applicable on January 17, 2025. At that time, all financial entities falling under DORA must comply with the requirements in the regulation and the further legislation. In previous editions, we have highlighted a specific part of DORA and discussed what is expected of entities. We want to use this last edition to explain what entities can expect in 2025. Here, we will explain how the AFM will supervise DORA and what information requests entities can expect from the European supervisors (EIOPA, ESMA, and EBA – collectively the ESAs). Additionally, in this edition, we will discuss a number of practical matters, such as the manner in which entities must provide information to the AFM.

Over the past year, the ESAs have been working on the development of the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). The RTS and ITS are divided into two batches and have all been submitted to the European Commission. The European Commission takes the final decision on whether or not to adopt this further legislation. The RTS and ITS in the first batch have already been adapted and are therefore final. Part of this first batch was the ITS for the register of information, which was recently adapted by the European Commission. No decision has yet been taken by the European Commission regarding the RTS and ITS in the second batch. However, it is expected that these will remain largely the same.

To comply with the requirements in DORA in a timely manner, it is important that entities have already started implementing the requirements in the regulation and the RTS and are using the templates in the ITS. Since the further legislation will remain largely the same, entities can already start working on the implementation of these requirements. Entities that wait for the decision of the European Commission before starting implementation will most likely not comply with the DORA requirements in time.

DORA Outlook: What to expect in the coming year

In short: This is the last edition in a series of AFM publications on the Digital Operational Resilience Act (DORA). This series is intended for all entities that must comply with the European regulation from 2025. In this edition, we look at the expectations for 2025. We also pause to discuss a number of practical matters.

DORA Outlook: What to expect in the coming year 2

2. Outlook 2025

2.1 What can you expect in 2025

Entities can already start working on:

  • Filling in the register of information;
  • Setting up processes to report incidents.

When DORA becomes applicable, national supervisors will begin their supervisory activities for DORA. Think here of setting up investigations to determine whether entities comply with the requirements, but also the collection and verification of information requested by the ESAs.

Register of Information The first request that entities will face in 2025 is the register of information. The national supervisors must submit the register of information to the ESAs no later than April 30, 2025. To be able to submit the registers to the ESAs in time, the AFM will send an information request to all entities holding a license with the AFM and falling under DORA shortly after DORA becomes applicable. To be able to share the register in time, entities must already be working on drawing it up.

The AFM and DNB will request the full register of information from entities on an annual basis. The AFM and DNB will then check the registers of information for completeness before forwarding them to the ESAs. If fields are missing or not filled in, the register cannot be shared with the ESAs, and the entity must share the full register of information with the supervisor again. It is therefore important to check whether the register is complete before sharing it with the AFM or DNB.

Based on the information from the registers, the ESAs will designate the ICT service providers considered critical for the financial sector. In designating critical ICT service providers, the ESAs look at the (systemic) effect on the stability, continuity, and quality of financial services in the event of a serious disruption at the ICT service provider. Additionally, when determining critical ICT service providers, the ESAs look at the importance of the financial entities for the sector that depend on the third-party ICT service provider. Finally, account is taken of the extent to which financial entities depend on the ICT services and the substitutability of the third-party ICT service provider.

The ESAs will supervise the designated critical ICT service providers themselves. Chapter 5, Section 2 (Articles 31-44) of the regulation describes, among other things, the tasks and powers of the ESAs that will supervise these critical ICT service providers. Furthermore, this chapter describes how supervision can be exercised over these entities.

ICT-related incidents Another obligation for entities is the reporting of serious ICT incidents. When an ICT-related incident has occurred, entities must determine, based on criteria [1], whether there is a serious ICT incident. Once an entity has determined that a serious ICT incident has occurred, they must report this to the relevant supervisor (AFM or DNB) within 4 hours. The (European) supervisor can determine, based on the initial report and follow-up reports, whether the incident concerns an ICT incident that affects the entire sector. Based on this assessment, the supervisor can determine whether additional measures must be taken. Additionally, entities can voluntarily report significant cyber threats.

DORA Outlook: What to expect in the coming year 3

TLPT Some entities will be designated for threat-led penetration testing (TLPT). For these entities, in addition to the above obligations, there are additional requirements regarding the testing of digital operational resilience. Entities only need to comply with these requirements when they are informed of this by the supervisor via a designation letter. Once the RTS for TLPT is approved by the European Commission, the AFM will contact the entities designated for TLPT. In consultation with the entity, the timing of the test will be planned.

2.2 What will the AFM do?

Entities can already start working on:

  • Checking access to the DORA portal.

Like many entities, the AFM has spent the past two and a half years preparing for the arrival of DORA. A large part of this program consisted of preparing the sector for DORA. Think here of various publications (such as the DORA updates), conversations with entities during seminars, and one-on-one conversations with entities.

Additionally, the AFM has prepared internally for supervision of DORA. For example, a DORA portal has been developed where entities can submit reports to the AFM, and a lot of time has been spent preparing our supervisors for DORA. In the first quarter of 2025, the DORA program at the AFM will be completed. From that moment, the AFM will move to ongoing DORA supervision. Our supervisory activities will from that point on consist largely of conducting investigations, handling ICT incidents, processing the register of information, and assessing license applications.

DORA Investigations To determine whether entities comply with the requirements, both thematic investigations and entity-specific investigations will be conducted. In a thematic investigation, a number of entities are selected, and the focus is on a subject from DORA. This could be, for example, an investigation into business continuity management or checking contracts with ICT service providers.

During an entity-specific investigation, only one entity is selected, and documents are requested relating to a part of DORA (for example, ICT risk management or testing digital operational resilience). This type of investigation can vary per entity. In both cases, the starting point remains that supervision will be risk-based and proportional. This means that the AFM will deploy supervisory capacity where the greatest risks are expected.

Reports A second part of our DORA supervision is the handling of ICT incident reports. When a serious ICT-related incident has occurred, entities must share an initial notification via the DORA portal 4 hours after the classification of the incident. Additionally, an interim report and a final report must be shared with the AFM respectively 72 hours and 1 month after the classification of the incident.

The AFM will look at the completeness of the incident report when assessing these reports. Additionally, it is assessed whether the incident (and its impact) is sufficiently described in the report. If this is not the case, the AFM will request additional information to ascertain this. In addition to reports for serious ICT-related incidents, financial entities can voluntarily report cyber threats. Both types of reports will mainly be used to determine whether ICT incidents have occurred or cyber threats are active that can have an impact on the financial sector.

DORA Outlook: What to expect in the coming year 4

New contracts with ICT service providers must also be reported to the AFM. These can be reported in the DORA portal, just like ICT incidents and cyber threats. When reporting a contract with an ICT service provider, entities can choose whether it concerns a new contract or if an existing contract has become important or critical for the function this ICT service supports. Depending on this choice, information will be requested regarding the type of ICT service being outsourced or the function that has become important or critical. Just like with serious ICT incidents, the AFM will assess the report and request extra information if necessary.

Financial institutions falling under DORA and holding a license with the AFM will gain access to the DORA page in the AFM portal from January 17, 2025. This will be part of the AFM portal to which entities already have access. If you do not have access to the DORA page on January 17, 2025, it is important to report this in time so that you can submit the mandatory reports in this portal.

License Applications For entities that will fall under DORA, the AFM has been testing a number of DORA requirements during the license application process since August 1, 2024. The goal of this is to support entities obtaining a license in the lead-up to January 2025 in complying with the DORA requirements in time. During the license application, attention is paid, among other things, to the existence of certain policy documents and procedures that are mandatory under DORA. After January 17, 2025, the AFM will continue to test these requirements during license applications. It can therefore help to look at which DORA requirements the entity must comply with before the license application.

During the license application, directors are tested on their level of knowledge and skills to understand and assess ICT risks. DORA expects directors to possess this knowledge and skills themselves and to regularly follow training that enables them to adequately manage ICT risks.

TLPT The entities designated for TLPT will receive a message from the AFM after the adaptation of the TLPT RTS by the European Commission that they must perform a mandatory TLPT. Subsequently, the test managers of the AFM, in consultation with the entity, determine in which period this test must be carried out.

The test managers accompany the entity during the preparation and execution of the test activities to ensure that the test meets the requirements in the regulation and the RTS. All reports that must be shared with the test managers as part of the test must be submitted in the DORA portal. After the successful completion of the test, the entity receives an attestation, which demonstrates that the requirements regarding TLPT have been met.

DORA Outlook: What to expect in the coming year 5

3. Outlook

This was the last edition in the series of DORA updates from the AFM. In the coming period, the last RTS and ITS will be assessed by the European Commission. For more information on developments in legislation and regulation, you can consult the DORA page on the AFM website. Additionally, you can monitor developments on the websites of the ESAs:

  • Digital Operational Resilience Act (DORA) - AFM
  • Digital Operational Resilience Act (DORA) - EBA
  • Digital Operational Resilience Act (DORA) - EIOPA
  • Digital Operational Resilience Act (DORA) - ESMA

Further questions? Contact the entrepreneur desk of the AFM.

1 See the RTS for classifying ICT-related incidents (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS))

Share