As the deadline of 17 January 2025 for the Digital Operational Resilience Act (DORA) approaches, financial undertakings must intensify their efforts to meet its stringent requirements. Both the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) and the Dutch Central Bank (De Nederlandsche Bank, DNB) have highlighted the urgency and provided guidelines for the preparation of DORA. More recently, the AFM and DNB have published further guidelines to facilitate the implementation process of DORA.

AFM’s checklist for DORA compliance

The AFM has published a checklist to help financial undertakings evaluate their current status and identify gaps in their IT risk management. The AFM believes considerable effort is still required before DORA comes into effect. In order to help companies understand where they stand in terms of digital resilience and the steps they need to take to comply with DORA, the AFM has prepared a checklist. The AFM notes that the checklist is not exhaustive but provides some initial guidance and is a useful starting point for financial undertakings.

The following questions are included in the checklist:

  1. Has the management body established a governance and control framework for the management of ICT risks?
  2. Have you established a framework for ICT risk management, as part of your company-wide risk management system?
  3. Do you have an inventory of all information assets and ICT assets, including all company processes that rely on ICT third-party service providers?
  4. Have you established an ICT security policy providing policies and procedures aimed at protecting the availability, integrity and security of ICT systems?
  5. Have you put in place an ICT Business Continuity Plan, providing the implementation of business impact analyses, a communication plan, periodic testing, and a review of events?
  6. Do you have backup policies and procedures, including restoration and recovery procedures and methods?
  7. Have you established an ICT-related incident management process to detect and handle ICT-related incidents, including the use of an incident register and templates to support the notification duty?
  8. Have you established a risk-based digital operational resilience testing programme, including policies and procedures to follow up on findings?
  9. Have you adopted policies on the use of ICT services supporting critical or important functions provided by third-party service providers?

DNB’s news item regarding DORA

In its annual supervisory survey, DNB assessed the progress of DORA implementation among market participants. The findings reveal that significant work remains within the limited implementation period. DNB underscores the critical need for a comprehensive gap analysis and a clear understanding of necessary data and system modifications to ensure compliance with DORA requirements.

To ensure timely compliance with DORA, DNB advises market participants to:

  1. Conduct a gap analysis: Financial undertakings are urged to begin and complete the DORA Gap Analysis as soon as possible, if they have not already done so.
  2. Compliance program: Financial undertakings should establish a board-approved compliance program, project, or action plan with timelines, priorities, and responsibilities to address identified gaps and allocate necessary resources.
  3. Monitor progress: Market participants are encouraged to monitor the progress of their implementation plan on a regular basis.
  4. Assurance report: Market participants should obtain appropriate ‘assurance’ in the form of (assurance) reports regarding their compliance with DORA.

In addition, DNB points out that DORA will be the applicable legal framework for operational resilience for in-scope financial undertakings, replacing DNB’s Good Practice on Information Security 2023. However, market participants may continue to use these good practices as a guide to prioritize measures to mitigate key risks.

For more information, please refer to the AFM’s DORA checklist and DNB’s news item on DORA.