Trading platforms and HERs anticipate increased risks of IT incidents

Trading platforms and HERs have a legal duty to report incidents to the AFM. IT-related incidents, such as cyber attacks or system failures, and outsourced IT-services are also covered by this reporting requirement. Incident reports enable the AFM to conduct risk-based supervision of the robustness of the capital market infrastructure. For this investigation, the AFM examined eight capital market participants on their IT management.

Increasing digitalisation, increasing cyber threats

The combination of increasing digitalisation and growing cyber threats increases the risk of IT incidents that can have a significant impact on the business. These include trading system failures, connection problems and software errors. The AFM expects capital market participants to assess the risks of IT incidents on their operations and whether improvements are needed in IT incident management for controlled and ethical business operations.

Incident reports and market participant self-examination

In this investigation, the AFM relied on incident reports and studies at eight trading platforms and HERs. The AFM then made an overview of the measures identified in this investigation. Based on these measures, businesses can improve their IT incident management.

Not yet DORA-proof

The AFM observes that incident management at the examined capital market participants does not yet fully comply with the additional regulatory requirements of the Digital Operational Resilience Act (DORA), which comes into force in 2025. The AFM stresses the importance of a timely start with the implementation of the DORA requirements.

More information

Exploratory study 'IT Incident Management in Capital Markets' (pdf, 264kB)