Go to content
News 05/07/24

Ready for DORA? The AFM publishes checklist for financial organisations

As of 17 January 2025, financial organisations have to comply with the Digital Operational Resilience Act (DORA). DORA is a European regulation that aims to ensure that financial organisations have better control of ICT risks and are thus more resilient to cyber threats. Based on previous surveys on ICT control measures, the Dutch Authority for the Financial Markets (AFM) has reviewed how financial service providers, capital market firms and investment firms scored themselves and has translated this into ten key DORA-related themes. In combination with the checklist developed by the AFM, organisations can use these findings to assess their preparations for DORA.

Control measures often not yet up to par

The AFM monitors the quality of information security within the financial sector on an ongoing basis. Part of this includes surveys in which organisations can score the maturity of their ICT control measures. The AFM has made a link between the scores for the control measures and ten key DORA-related themes. This link is our own interpretation and does not comprise all requirements set by DORA. The scores show that the control measures are often not yet up to par and considerable effort is still required before DORA becomes applicable in January 2025.

ICT risk management needs to be improved

DORA aims to ensure that financial organisations have better control of ICT risks and are thus more resilient to cyber threats and ICT disruptions. High-quality ICT risk management enables companies to timely and effectively detect and manage risks.

Many organisations failed to fully meet the expected level in terms of ICT risk management. This applies to 81% of all financial service providers, 58% of the capital market firms and 42% of investment firms.

Also, several organisations require improvements in governance in the area of ICT risk management, ICT asset inventory and risk management of third-party providers.

Most organisations scored adequately on the setup of backup and recovery capabilities, however, DORA imposes additional and detailed requirements in this regard.

DORA checklist

It is important that organisations timely understand where they stand in terms of digital resilience and any further steps they need to take to comply with the requirements set by DORA.

Organisations can use the DORA checklist as a starting point to gain clarity on a number of issues that are still needed in terms of policies and procedures to meet the requirements of DORA. Given the scope of DORA, the checklist is not exhaustive. The full requirements are detailed in the regulation and associated RTS and ITS. More information on this is available on our website.

More information

DORA checklist (pdf, 223kB)

Contact for this article


Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.