Go to content
News 20/12/24

PTFs prioritise IT security, extra steps needed for DORA

Proprietary trading firms (PTFs) are mindful of the importance of information security, but often not all the relevant parts of the Digital Operational Resilience Act (DORA) have yet been identified, analysed and implemented. The Dutch Authority for the Financial Markets (AFM) has conducted an exploratory survey among several PTFs to gauge their preparations for DORA and shares the points of attention in a report. PTFs as well as other institutions can use this report to facilitate their further implementation of the requirements of DORA, which will come into effect on 17 January 2025. 

In short

  • Important steps still needed for DORA implementation
  • AFM shares recommendations: gap analysis, classification and outsourcing
  • Attention to register of information, request in February
  • Recommendations also relevant for other financial institutions 

Important steps still needed for DORA implementation

Based on the documentation and interviews with a limited number of PTFs, the conclusion is that the extent to which institutions are ready for DORA as of 17 January 2025 varies greatly. A number of parties have recently started implementing the DORA requirements within their organisation and it seems unlikely that they will be DORA compliant by 17 January. Other parties are further along, but the question is whether they will be fully compliant with all of DORA's specific requirements by this date.

AFM shares recommendations: gap analysis, classification and outsourcing

Based on the points of attention given, the AFM has the following recommendations:
  • Perform a full gap analysis
    Institutions that have yet to do so are advised to conduct a full gap analysis on all Regulatory Technical Standards as soon as possible and to take action on identified areas for improvement.
  • Classification of ICT supported business functions and ICT assets
    Weigh all information security criteria (availability, integrity, confidentiality and authenticity) when classifying the ICT supported business functions and the information and ICT assets.
  • Consider internal outsourcing as external outsourcing
    Under DORA, the same requirements apply to internal outsourcing as to external outsourcing. This means that agreements must also be made for these outsourcing activities that cover all internal ICT services purchased. For these agreements, there must be a 'demonstrable effect'.

Attention to register of information, request in February

In addition to the recommendations arising from the survey, the AFM draws attention to the register of information. After DORA enters into force on 17 January 2025, the register of infomation will be the first to be requested from the market parties. We will send an information request for this in February 2025.

Recommendations also relevant for other financial institutions

Although the survey was conducted among a limited number of PTFs, the recommendations are more broadly relevant. Other financial institutions covered by DORA can also use the recommendations to evaluate their preparations and take action where necessary.

Tags

Information for AIFM and collective investment schemes Investment firms

More information

DORA Pilot Proprietary Traders (pdf, 210 kB)
Webpage on DORA

Contact for this article

AFM

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.

Read more