Regulatory Alerts2026-03-31
Accountancy Organisations: Ensure an Appropriate Information Security Framework
The Dutch Financial Markets Authority (AFM) requires accountancy organisations to implement a robust, future-proof information security framework to mitigate vulnerabilities exposed by recent digital incidents and data breaches. The regulator emphasises that organisations must maintain up-to-date ICT risk registers, conduct comprehensive continuity and configuration management tests, and establish structured supplier and incident management processes. IT risk control will remain a regulatory priority in the coming years, with the AFM urging all firms to proactively strengthen their digital resilience and risk management maturity.
News 31/03/26 Digital incidents, such as data breaches, demonstrate how vulnerable organisations can be. It is therefore important for accountancy organisations to do everything possible to further strengthen their information security. Based on insights gained from OOB accountancy organisations, the AFM emphasises the importance of robust information security and shares insights that will also help regular license holders further strengthen their risk management.
In short
Data breaches show how vulnerable organisations can be
An appropriate information security framework strengthens digital resilience and prevents the 'hacker as a wake-up call'
AFM shares tools to strengthen information security
IT risk control remains a priority in the coming years
Data breaches show how vulnerable organisations can be Digital incidents at large organisations – such as recent data breaches – demonstrate how vulnerable organisations can be. The impact often extends beyond the affected company to (sub)suppliers, clients, and sometimes even financial markets. For accountancy organisations, which work with sensitive client and transaction data and rely on digital systems, future-proof information security is therefore essential. A solid foundation of information security and risk management helps prevent incidents and enables faster recovery when they do occur.
An appropriate information security framework strengthens digital resilience and prevents the 'hacker as a wake-up call' Many incidents arise from human error, inadequate monitoring, or unclear responsibilities. A robust risk management framework provides guidance to structure information security in a future-proof manner and prevent the 'hacker as a wake-up call'. The De Nederlandsche Bank's Good Practice Information Security is an example of a sound risk management framework that promotes coherence, risk awareness, and continuous improvement. This is useful for all accountancy organisations, as it provides guidance on a proportional and coherent approach to information security risks. Furthermore, it includes an information security self-assessment that directly reveals maturity levels.
AFM shares tools to strengthen information security
Based on insights gained from OOB accountancy organisations, we also share the following strengthening points below that will help regular license holders further strengthen their risk management.
ICT risk management: work with a current and cyclical process
Keep risk registers up to date and complete regarding internal and external threat landscapes.
Document risk decisions and monitor follow-up actions.
Ensure risks remain within the risk appetite.
Continuity management: test assumptions and test broadly
Regularly update business impact analyses.
Test not only IT recovery, but the entire chain.
Systematically incorporate 'lessons learned' into plans and reports.
Configuration management: clearly map dependencies
Ensure a complete overview of information systems, API connections, assets, and relationships.
Make it clear which processes are affected by disruptions.
Supplier management: monitor structurally and risk-based
Work with formal onboarding and evaluation processes.
Include sub-suppliers in risk assessments.
Incident management: learn and improve structurally
Clearly define what constitutes an incident.
Standardly conduct post-incident analyses.
Document improvement actions and secure follow-up.
IT risk control remains a priority in the coming years An information security framework is only effective when it demonstrably works. Therefore, we ask all accountancy organisations to pay extra attention to a secure, future-proof control environment. The AFM will continue to engage with the sector on this matter and provide support where possible. In the coming years, IT risk control will remain a priority for the AFM.
Tags
Accountancy organisations
Contact regarding this article
Would you like to receive the latest news from the AFM?
Then sign up for our newsletter, and we will keep you informed.