AFM publishes Principles for Information Security

The Dutch Authority for the Financial Markets (AFM) publishes the Principles for Information Security. With this policy statement, the AFM outlines its expectations regarding the behaviour of financial firms and audit firms in the field of information security. The principles were submitted for consultation earlier this year and have now become definitive.

The management of information security risks is becoming increasingly important as a result of the increasing digitalisation of society. The AFM expects firms to take appropriate measures to guarantee the continuity and reliability of their IT and provision of information, and to limit the impact of any security incidents. The principles provide guidance in this respect.


The principles are not new rules, they consist of starting points with regard to issues that involve various statutory norms subject to supervision by the AFM. In this way, the AFM increases the predictability of its supervision. Firms decide for themselves how they implement these principles.

Reactions on the consultation

The AFM received comments and recommendations from 26 organisations during the consultation process. These reactions have enabled the AFM to clarify the principles. The AFM thanks them for their input.

Feedback statement

In addition, several organisations have asked for more clarity regarding the legal framework, proportionality and (inter)national convergence. In the feedback statement, the AFM gives a short description of the question(s) received for each subject, after which the AFM answers the question(s) and explains why she has made a certain choice.

Contact for this article

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.