DORA Supervision: A Closer Look at What’s Coming in 2025

January 17, 2025, marks the day the Digital Operational Resilience Act (DORA) stops being a talking point and becomes a reality. While financial institutions across Europe have been gearing up for this moment, the Dutch Authority for the Financial Markets (AFM) has outlined its plans for supervision and what firms can expect in the year ahead. If you haven’t started implementing DORA’s requirements yet, you’re already behind.

For financial undertakings, the AFM’s role in DORA’s rollout means one thing—scrutiny. Supervision will focus on whether firms are ready to handle operational resilience as more than just a regulatory checkbox. The AFM plans to dive into:

• Thematic Reviews: Zooming in on specific DORA requirements across multiple firms to assess trends and weaknesses.
• Institution-Oriented Reviews: A deep dive into individual organizations, including a review of ICT security-related documents and procedures.

This isn’t about catching firms off guard—it’s about ensuring resilience is baked into their operations. But make no mistake, the reviews will demand thorough preparation and airtight compliance.

ICT Incidents & the DORA Portal

Reporting serious ICT incidents is a cornerstone of DORA compliance, and the AFM is building its digital infrastructure to streamline this process. From January 17, the DORA page within the AFM Portal will become the hub for incident notifications and agreements with ICT service providers.

Firms are urged to ensure access to the portal well in advance—no one wants to be caught on the wrong side of a technical glitch when a serious incident needs reporting.

DORA Meets Licensing & TLPT

Since August, the AFM has already integrated DORA checks into the licensing process, making compliance a prerequisite for new entrants. After January 17, this scrutiny will only deepen, with the regulator focusing on whether firms have the necessary policies and procedures in place.

For those required to conduct Threat-Led Penetration Testing (TLPT), the AFM’s test managers will be on hand to guide the process. While the exact regulations around TLPT are still being finalized, the message is clear: be prepared for rigorous testing if you’re on the list.

While the AFM is leading efforts in the Netherlands, DORA supervision is a pan-European effort. The AFM (and other European regulatory authorities) will play a key role in coordinating with European Supervisory Authorities (ESAs)—including ESMA, EIOPA, and the EBA—to collect and monitor critical data. This collaborative approach underscores the interconnected nature of financial resilience within the EU.

The AFM’s plans offer more than just a blueprint for Dutch firms. They provide valuable insight into how other European regulatory watchdogs may approach DORA enforcement. Thematic and institution-oriented reviews, ICT incident reporting frameworks, and TLPT guidance are likely to echo across the continent, setting a precedent for supervision under DORA’s umbrella.

Why Early Action Matters

The AFM’s advice is unequivocal: don’t wait. While some of the technical standards are still awaiting final approval, the drafts are unlikely to change. Firms that delay implementation risk falling behind, both in terms of compliance and operational resilience.

Start now by:

• Implementing the RTS templates.
• Preparing ICT documentation for reviews.
• Testing access to the AFM Portal.
• Keeping an eye out for TLPT notifications.

DORA isn’t just another regulation—it’s a stress test for the entire financial sector’s operational resilience. The AFM’s approach, while thorough, underscores a larger reality that resilience isn’t negotiable. The regulator’s focus on early preparation, stringent reviews, and seamless ICT reporting serves as a model that could shape DORA enforcement far beyond the Netherlands.

January 17, 2025, isn’t a finish line; it’s the start of a new regulatory era. The question is, are you ready to hit the ground running?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.