Companies have until 17 January 2025 to comply with the requirements of the Digital Operational Resilience Act (DORA) and further regulations. The European Commission and supervisory authorities, including the AFM, have confirmed that in-scope companies will be supervised as per that date (or shortly after). In its latest update of 7 January 2025, the AFM explains what companies can expect from the AFM and other European supervisory authorities in terms of supervision on DORA.
In this blog, we will highlight the most important topics of supervision and some related practical matters.
DORA aims to increase the digital resilience in the financial sector and mitigate the risks associated with outsourcing to third-party service providers. To that effect, DORA sets requirements in areas such as IT risk management, IT incidents, periodic testing of digital resilience and the control of risks in outsourcing to critical third-party providers.
DORA has a broad scope and applies to most of the regulated financial institutions in the European Union, including inter alia banks, insurance companies and intermediaries, PSPs/EMIs, investment firms, pension funds, crypto-asset service providers, crowdfunding service providers, fund managers and ICT third-party service providers.
Compliance and supervision
In order to ensure timely compliance, it is important to complete the process of implementation of the DORA requirements as soon as possible. 17 January 2025 signals the commencement of supervision of the AFM and European supervisory authorities (EIOPA, ESMA and EBA – together the ESAs). In its latest update (and last edition in a series of publications), the AFM provides an outlook which supervisory investigations companies mainly subject to supervision by the AFM can expect in the upcoming year (see the outlook here: DORA update 6). The supervisory investigations will largely focus on assessing DORA compliance (including the information register), handling major ICT incidents and license applications.
We further outline the most relevant supervisory activities below:
- Register of information: the first data request that in-scope companies can expect concerns the register of information. The deadline for the first submission of registers of information by the national supervisory authorities to the ESAs is set for 30 April 2025. The AFM stresses companies to ensure that all mandatory fields are included and complete to ensure that the register of information can be shared in a timely manner.
- Notifications via de DORA portal: in-scope companies must report serious ICT incidents (as further discussed below) and agreements with ICT service providers to the AFM within a certain timeframe. For that purpose, the AFM has developed a separate DORA portal which is accessible via the AFM portal from 17 January 2025. If in-scope companies do not have access to the DORA portal on 17 January, such companies should inform the AFM promptly.
- DORA reviews: to determine whether in-scope companies are compliant with the DORA requirements, the AFM plans to conduct thematic reviews as well as institution-specific reviews in 2025.
- Reporting: another aspect of the AFM's supervision concerns ICT-related incident reports. Once a major ICT-related incident has occurred, in-scope companies must submit an initial notification via the DORA portal within 4 hours from the moment the incident is classified as major. Also an intermediate report and final report must be submitted to the AFM within 72 hours and 1 month, respectively, of the classification of the incident. The AFM will assess the completeness of these reports and request additional information if it is deemed incomplete.
- License applications: as part of a license application process, the AFM will verify whether in-scope companies comply with the DORA requirements. The AFM will assess (i.a.) whether the mandatory policies and procedures are in place. As part of the license process, directors will be evaluated on their knowledge and skills in understanding and assessing ICT risks as required under DORA.
- TLPT tests: certain companies are required to perform extensive Threat Led Penetration Testing (TLPT) under DORA. Once the Regulatory Technical Standards on TLPT is approved by the European Commission, the AFM will inform the companies designated to perform this testing separately.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.