On 1 March 2023, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published the results of an exploratory investigation into IT incident management in the capital markets. The AFM carried out this study in relation to eight trading venue operators and proprietary traders based on a self-assessment and IT incident notifications reported to the AFM.

The AFM finds that all firms in the study had procedures and  processes in place to identify, document and manage IT-related events and that all firms were aware of their legal obligation to notify IT-related incidents to the AFM. In the study, the AFM provides an overview of controls that firms can implement to improve their IT incident management, examples of which are a security event response plan, a root cause analysis or key performance indicators that can measure the effectiveness of incident management.

In 2025, the Digital Operational Resilience Act (DORA) will enter into force. DORA provides for a harmonised and comprehensive regulatory framework for digital operational resilience for financial institutions. It is expected to have a significant impact on the financial institutions that are in scope of the regulation. The AFM notes that the incident management processes of the firms in the study do not yet meet the DORA requirements. The AFM calls on trading platforms and propriety traders to implement a DORA compliance programme in a timely manner to ensure compliance by the time DORA becomes applicable.

Please find further information on DORA in our guide ‘Digital Operational Resilience for the Financial Sector (DORA): 10 things to know’, which is available here.