News
07/01/25
DORA update 6: What to expect with regard to DORA supervision
All financial undertakings covered by DORA must comply with the requirements in the Regulation as well as the further regulations by 17 January 2025. In this latest DORA update from the Dutch Authority for the Financial Markets (AFM), we explain what companies can expect in 2025. We will discuss our own supervision and what requests for information companies can expect to receive from the European supervisory authorities.In order to ensure compliance with the requirements in DORA in a timely manner, it is important for companies to have already started implementing the requirements in the Regulation and the Regulatory Technical Standards and to use the templates in the Implementing Technical Standards. Although the European Commission has yet to make a decision on some parts, it is strongly recommended that companies start implementing these requirements now. These further regulations are expected to remain largely unchanged.
Supervision by the AFM
The entry into force of DORA signals the commencement of our supervisory activities. They include initiating investigations to determine whether companies meet the specified requirements, handling serious ICT incident reports and checking permit applications.DORA reviews
The reviews we will carry out are either thematic or institution-oriented. In a thematic review, we look at several parties to see whether the company concerned complies with a specific aspect of the regulations. In an institution-oriented review, we request a variety of documents related to ICT security from one company.Notifications via DORA Portal
In addition, companies must report serious ICT incidents and any agreements with ICT service providers to us. Financial undertakings will have access to the DORA page in our portal from 17 January. This will be part of the AFM Portal to which companies already have access. You are urged to check this in good time. If you do not have access to the DORA page on January 17, it is important to report this promptly.DORA requirements for licence applications
As part of the licence application process, we also verify whether the DORA requirements are being met. This is something we have been doing since 1 August 2024. The purpose in doing this was to support companies in meeting the DORA requirements in a timely manner. After 17 January, we will continue to verify the existence of certain policy documents and procedures which are mandatory under DORA for the granting of licences.TLPT tests
Certain companies are required to perform extensive Threat Led Penetration Testing (TLPT). Companies that are designated to perform this testing will be informed separately. AFM test managers will guide the designated companies in the preparation and execution of the tests. The further regulations of TLPT have yet to be adopted by the European Commission.European requests for information
We also have a role in collecting and monitoring information requested by European supervisory authorities. They include the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA), collectively referred to as the European Supervisory Authorities (ESAs). An example is the register of information which must be submitted by the end of April.Tags
Banken & verzekeraars Crowdfundingplatformen Crypto companies Information for AIFM and collective investment schemes Investment firms Trading and settlement platformsContact for this article
Would you like to receive the latest news from AFM?
Subscribe to our newsletter, we will keep you up-to-date.