Introduction

The Dutch Authority for the Financial Markets (AFM) has submitted its sixth DORA update explaining what to expect in 2025. The AFM stresses that it is important to complete the implementation of DORA’s requirements as soon as possible to be DORA-compliant by this Friday: 17 January 2025.

What to expect in 2025?

Once DORA enters into force, national supervisory authorities will start their supervisory activities. This will include establishing reviews to determine whether financial institutions are complying with the requirements, as well as collecting and verifying information requested by the European Supervisory Authorities (ESAs, meaning EIOPA, ESMA and EBA).

  1. Register of information

The first data request that firms can expect in 2025 concerns the register of information. The deadline for the first submission of registers of information by AFM and DNB to the ESAs is set for 30 April 2025. To ensure timely submission of the registers to the ESAs, soon after DORA enters into force the AFM will send a request for information to all organisations with an AFM licence that are subject to DORA. Firms should therefore already be preparing their register of information to be able to share in a timely manner.

After this initial request, the AFM and DNB will request the register of information from firms each year. The AFM and DNB will then verify that all the fields in the registers of information are complete before forwarding the registers to the ESAs.

Based on the information from the registers, the ESAs will designate ICT third-party service providers that are considered critical for the financial sector. The ESAs will supervise these designated critical ICT third-party service providers.

  1. ICT related incidents

Firms are also obliged to report major ICT-related incidents. When an ICT-related incident has occurred, firms must determine on the basis of criteria whether a major ICT-related incident has occurred. For the classification of ICT-related incidents, see the relevant Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Once a firm determines that a major ICT-related incident has occurred, it must notify the relevant supervisory authority (AFM or DNB) within 4 hours, from the moment the incident is classified as major. In addition, an intermediate report and final report must be submitted to the AFM within 72 hours and 1 month, respectively, of the classification of the incident.

The AFM will assess the completeness of the incident report when analysing these reports. It will also assess whether the incident, and its impact, are adequately described in the report. Where this is not the case, the AFM will seek additional information to determine these facts. In addition to major ICT-related incident reporting, financial undertakings may also, on a voluntary basis, notify cyber threats. Both types of reports will mainly be used to determine whether ICT-related incidents have occurred or there are active cyber threats that impact, or could potentially impact, the financial sector.

  1. TLPT

A number of firms will be identified for threat-led penetration testing (TLPT). Firms only have to comply with these requirements if notified by the supervisory authority by means of a designation letter. Once the RTS for TLPT is approved by the European Commission, the AFM will contact the firms identified for TLPT. The timing of the test will be scheduled in consultation with the relevant firm.

The test managers of the AFM will assist the firm during the preparation and execution phases of the test to ensure that the test complies with the requirements in the Regulation and the RTS. After (successful) completion of the test, the firm receives a certificate, which can be used to demonstrate compliance with the requirements related to TLPT.