On 7 March 2024, the Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published its third update on the European Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). This update focuses on the requirements concerning the ICT risk management framework. The update is available via this link.

DORA is a European regulation that aims to ensure that financial entities have better control over ICT risks, making them more resilient to cyber threats and ICT disruptions. To this end, DORA establishes a harmonised EU-level framework for digital operational resilience for the financial sector by, among other things, requiring financial entities to have in place a sound, comprehensive and well-documented ICT risk management framework.

In its third update, the AFM urges financial organisations to begin (1) creating a framework for ICT risks, and (2) evaluating their compliance with DORA’s requirements for managing business continuity. The AFM also addresses the simplified ICT risk management framework which will apply to various exempted financial entities.