Go to content
News 01/12/23

DORA update: emphasis on managing ICT risk for third-party providers

The Dutch Authority for the Financial Markets (AFM) has issued its second publication explaining the key aspects of the Digital Operations Resilience Act (DORA). This edition (pdf, 525 kB) focuses on the management of ICT risk for third-party providers. It enables firms to analyse where they stand in this and any further steps they need to take to comply with the regulation.

DORA has been in force since January 2023. DORA is a European regulation that aims to ensure that financial firms have better control of ICT risks and are thus more resilient to cyber threats.

Stable chains

To be resilient against cyber threats and ICT disruptions throughout the chain, it is important to be mindful of the risks of taking ICT services from third-party providers. First of all, firms should explicitly address the ICT risks arising from using services from third-party providers. Additionally, DORA requires firms to develop a strategy for this so-called third-party risk management, in which the risks of outsourcing critical services are regularly reviewed. DORA also stipulates the different elements that firms need to include in contractual arrangements with third-party providers. This publication further discusses these elements and how to get them DORA-proof.

Supervision of the regulation

Firms have until January 2025 to comply with the regulation. After that, DORA will be officially applicable and the AFM and DNB will supervise the regulation. Some firms are already subject to DORA-related requirements under existing laws and regulations.

Contact for this article


Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.