News 01/03/23

Trading platforms and HERs anticipate increased risks of IT incidents

Trading platforms and Proprietary traders (Handelaren voor eigen rekening; HERs) anticipate increased risks of IT incidents within capital markets. The AFM has compiled an overview of the measures that these capital market participants are taking to mitigate these. It appears from the overview that not all trading platforms and HERs are fully DORA-proof yet. The AFM calls on capital market firms to initiate timely implementation of these new digital European legislative requirements (Digital Operational Resilience Act), which will come into force in 2025.

In brief

• Trading platforms and HERs anticipate increased risks of IT incidents
• AFM reviews identified measures
• Not all trading platforms and HERs are fully DORA-proof
• AFM calls for a timely start with DORA implementation

Trading platforms and HERs have a legal duty to report incidents to the AFM. IT-related incidents, such as cyber attacks or system failures, and outsourced IT-services are also covered by this reporting requirement. Incident reports enable the AFM to conduct risk-based supervision of the robustness of the capital market infrastructure. For this investigation, the AFM examined eight capital market participants on their IT management.

Increasing digitalisation, increasing cyber threats

The combination of increasing digitalisation and growing cyber threats increases the risk of IT incidents that can have a significant impact on the business. These include trading system failures, connection problems and software errors. The AFM expects capital market participants to assess the risks of IT incidents on their operations and whether improvements are needed in IT incident management for controlled and ethical business operations.

Incident reports and market participant self-examination

In this investigation, the AFM relied on incident reports and studies at eight trading platforms and HERs. The AFM then made an overview of the measures identified in this investigation. Based on these measures, businesses can improve their IT incident management.

Not yet DORA-proof

The AFM observes that incident management at the examined capital market participants does not yet fully comply with the additional regulatory requirements of the Digital Operational Resilience Act (DORA), which comes into force in 2025. The AFM stresses the importance of a timely start with the implementation of the DORA requirements.

More information

Exploratory study 'IT Incident Management in Capital Markets' (pdf, 264kB)


Contact for this article

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.