Frequently Asked Questions about DORA
DORA Notifications
Do I need to report incidents concerning ICT services under both the Wft reporting obligation and DORA?
No, if there is a complete overlap between the reportable situations, you only need to report the incident via the DORA app in the AFM Portal as an ICT-related incident, including the required attachments listed there.
Do I need to report proposed contracts with ICT third-party service providers under both the Wft and DORA?
No, in cases where there is a complete overlap between the reportable situations for DORA and the Wft, you only need to submit a notification via the DORA app in the AFM Portal.
My company is subject to both DORA and NIS2. Is a DORA incident notification sufficient to fulfill NIS2 obligations as well?
No, there is a dual reporting obligation for DORA and NIS2 incidents. You can report a DORA incident via the DORA app in the AFM Portal, while NIS2 incidents must be reported to the National Cyber Security Center (NCSC). For more information, visit the NCSC website: Incident Reporting and Registration Requirements.
If a contract with a service provider concerns both an ICT service and a non-ICT service, does it need to be reported to the AFM twice?
In addition to a notification obligation under DORA for contracts with ICT service providers that support a critical or important function, there is also a notification obligation in the case of proposed critical and important outsourcing under the Wft. These obligations may overlap, such as in some cases involving the outsourcing of KYC and administration. In cases where both a notifiable ICT service that must be reported under DORA and a notifiable outsourced non-ICT service that must be reported under the Wft are involved, notification via the DORA app in the AFM portal suffices. However, in that case, the Outsourcing notification form must be uploaded as an additional attachment to the notification.
How do I gain access to DORA notifications in the AFM Portal?
You gain access if you have a licence from the AFM and your company are subject to DORA. Your company needs to manage access for the appropriate employees through the authorisation management system in the portal. If you have an AFM licence, are subject to DORA, and you are unable to assign access to employees through the authorisation management system, please contact the AFM Business Desk.
Scope of DORA
Are investment firms and managers from third countries subject to DORA?
Does a financial service qualify as an ICT service?
This depends on several factors. The European regulators elaborate on this in the answer to question 2999 on the EIOPA website.
When do I, as an insurance intermediary, reinsurance intermediary, or ancillary insurance intermediary, fall under DORA?
These entities fall under DORA if they are licensed for insurance mediation, have 250 or more FTEs, or fewer than 250 FTEs but generate more than €50 million in revenue and have a balance sheet total of more than €43 million. If the entity is part of a group of companies, the FTE, revenue, and total balance sheet of all financial entities (as mentioned in Article 2, paragraph 1 of DORA) should be added together.