The Digital Operational Resilience Act (DORA) came into force on Jan. 17, 2025. This EU regulation harmonizes the requirements for ICT risk management within the financial sector, with the aim of increasing digital resilience. De Nederlandsche Bank (DNB) and the Financial Markets Authority (AFM) monitor compliance with DORA and can take enforcement action. With the arrival of DORA, the DNB Good Practice Information Security 2023 (DNB GP IB) will cease to be the primary supervisory framework, as the requirements in DORA are leading for supervision. The AFM has not provided an update on its 'Principles for Information Security' (2019); although they too have indicated that the legal requirements are leading.
At BDO, we have supported several clients in the preparation and implementation of the DORA regulation, both advisory and reviewing (1st, 2nd and 3rd line). We see that the implementation is important from a proportionality point of view, but also complex due to the many rules. The DORA is predominantly rule-based. Taking into account the size, risk profile, nature, scale and complexity of the operation, is crucial. For example, the number of ICT service providers that do or do not support a critical or important function is very much a determinant of complexity. We see that organizations take varying approaches to the requirements and proportionality in implementation: some institutions are comprehensive in the elaboration of policies, plans and registries, where others tailor things to their risk profile and make clear risk-based choices therein.
The financial sector is actively working on DORA. Policy adjustments have mostly been made, but the information register and insight into dependencies and outsourcing chains of ICT service providers, are still work in progress. In addition, many institutions are still in the process of concluding (amended) contracts with ICT service providers, including agreements on information security, continuity, testing, monitoring, and exit plans.
Several institutions have already received an oversight calendar. One of the first concrete steps is the delivery of the information register no later than April 23, 2025. This register must be submitted to the European regulator through the AFM or DNB by the end of April. The DNB has developed an alternative delivery method available to support the delivery, which must be done in the xBRL-CSV format by default. Any potential re-reporting should be submitted to the DNB no later than May 28.
Across the board, we see that institutions are still working on finalizing additional agreements with ICT service providers in the coming period, fleshing out exit plans with critical or key ICT service providers, and securing the DORA as part of the IT control framework. Thereafter, further efforts should be made on the (ongoing) implementation of the DORA requirements, including:-Periodicallyreview relevant policy documents;
-Trainingboard and implementing awareness programs;
-Testingdigital resilience and appropriate follow-up on results;
-TestingICT continuity measures, including backups;
-Monitorcompliance with (information security) requirements among ICT service providers;
-Conductinternal audits on the framework of ICT risk management, ICT continuity response and recovery plans, and risk management at/by ICT service providers.
