On 31 October 2023, the Dutch Central Bank (De Nederlandsche Bank, DNB) published a news update on the readiness of market parties under its supervision for the applicability of the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA).
DORA entered into force on 17 January 2023 and will be applicable as of 17 January 2025. DNB emphasises that despite the fact that the European supervisors are still to publish further details on certain requirements, market participants should start preparing for the implementation of DORA.
DNB lists a number of steps that market participants can take to ensure that they are ready for DORA in time:
- Ensure that they are fully compliant with the current legal framework. The current Q&A and DNB Good Practice Information Security, as well as existing guidance from the EBA and EIOPA, can be used for this purpose.
- Directors and members of the supervisory body should bring their knowledge related to ICT risk management up to a minimum level and keep it up to date.
- The ICT-related policies, processes, procedures and IT roles can be evaluated.
- A gap analysis can be prepared, together with an activity plan. The analysis and plan can be sharpened when further details are published by supervisors.
- Engage with service providers on the upcoming tightening of regulatory requirements focused on contracting, risk assessment and monitoring. Service providers will also need to tighten their practices.
- Making agreements with critical third parties on receiving adequate assurance reports for the entire critical outsourcing chain. It appears that in practice, current COS/SOC reports are not always adequate.
In addition, DNB announces that it will update its Good Practice on information security in light of DORA.
The news update is available here.