On 1 December 2023, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published its second publication on the Digital Operational Resilience Act (Regulation (EU) 2022/2554, the DORA). The publication focuses on the management of information, communication and technology (ICT) risks for third-party providers and aims to enable in-scope financial institutions to analyse their current readiness with DORA in these areas and assess what further steps they need to take to comply.

DORA is a European regulation that aims to ensure that financial institutions have better control over ICT risks, making them more resilient to cyber threats and ICT disruptions. To that end, DORA sets out harmonised EU-level framework for digital operational resilience for the financial sector by harmonising the rules on, among other things, ICT third-party risk management.

In the publication the AFM is calling on financial institutions to prepare:

  1. The ICT-risk management framework: Financial institution should explicitly assess and address the ICT risks arising from the use of ICT third-party services. The AFM emphasizes that this risk assessment is not an isolated exercise, but should be part of an organization-wide ICT risk management framework.
  2. Strategy for managing ICT risk for third-parties: Financial institutions should develop a third-party risk management strategy that regularly reviews the risks of outsourcing critical services. Micro-enterprises are exempt from the requirement to develop such a strategy.
  3. The register of information: Financial institutions should start setting up the register of information where all contractual arrangements for the provision of ICT services must be recorded. The AFM emphasizes that financial institutions should also include in the register whether the services purchased support critical or important functions.
  4. Exit strategy: Financial institutions should begin developing an exit strategy for third-party ICT service providers that support critical or important functions. This exit strategy should consider any risks that may occur on the part of the service provider, such as disruption in provision, deterioration in quality or (early) termination of the agreement.
  5. Contractual provisions: Financial institutions should analyse whether their existing contractual arrangements are in line with DORA’s rules on important contractual provisions.

The AFM is currently preparing its supervision for compliance with DORA. The next set of publications on DORA will cover certain aspects of the regulation in greater depth, and the next issue will be published in Q1 2024.