Energy, climate and mobility
2025 is in sight. What actions do you still need to take (or possibly postpone) to fully utilize the available Dutch tax facilities? We have listed the most important tax tips for you.
On 11 May 2022, the presidencies of the European Council and the European Parliament approved the provisional text of the Digital Operational Resilience Act (DORA)[1]. This closes the trialogues phase of this act. The final compromise text of DORA was published on 23 June 2022[2]. Taking account of the next steps in the process of introducing this act, this means that organisations in the financial sector and their IT service providers need to comply with the digital resilience requirements of DORA by the end of 2024. The purpose of the DORA legislation is to harmonise the requirements imposed on managing ICT risks, and in doing so to safeguard the continuity of critical processes within the organisations.
It applies in particular to insurance and reinsurance companies, insurance intermediaries, investment institutions, management companies, banks, crypto-asset service providers, institutions for company pension funds and third-party providers of ICT services.
The introduction of DORA aims to reduce the societal and economic risks of the increasing cyber threats in the financial sector. It is possible to identify various causes for the rise in cyber threats, such as increased connectivity of cross-organisation information technology, outsourcing IT to third parties, including cloud service providers. Another cause can be found in the continuing digitisation of the financial sector, including digitalisation of financial services and fintech applications on the one hand, and the existence of vulnerable legacy systems within the sector on the other.
Not only financial institutions will be affected by the introduction of DORA. IT service providers operating in the financial sector will also be regulated by the relevant regulators through this law. Audit firms, unlike the previous DORA text, will be excluded from DORA for the time being. An extension to DORA will follow at a later stage for audit firms. On this, it has been decided that this will take place at the latest within three years of the introduction of DORA.
With the publication of the compromise text on 23 June 2022, now is the time for all organisations that are governed by the DORA regulations to jump into action. DORA requires policy and procedural measures, but also verifiable operational measures in the area of digital resilience and the corresponding accountability.
The impact on organisations that are already under the supervision of the Netherlands Central Bank or that Radiocommunications Agency Netherlands, is likely to be less than for organisations that are not. We recommend that you start by identifying the gaps in the existing information-security processes in your organisation in relation to the DORA requirements. This gap analysis can form the basis for a suitable action plan to introduce and embed the DORA requirements in a structured manner. This is a challenging process, and for most organisations the arrival of DORA will involve a significant scale-up of their cybersecurity measures and more integrated management.
The DORA legislation rests on five pillars that each have a specific focus. The illustration represents the different pillars. Ultimately, the specific DORA requirements can be part of a uniform ICT Risk Management Framework in order to manage the digital resilience of an organisation in a permanent manner. For each pillar, a number of striking impressions have been given from the new DORA legislation.
Finally, it is important to recognise that there will be additions to the more technical standards in 2023. The finer details of the technical aspects of these measures are with the various European Supervisory Authorities (ESAs).
These are just a few impressions from DORA that suggest that DORA is an all-inclusive and far-reaching act that will have drastic consequences for many organisations in terms of IT-risk management and internal controls, with cyber resilience as the focus. With the adoption of the now agreed text of DORA, organisations have a strong foundation to prepare for the implementation of this act. The European Parliament is expected to endorse DORA in October 2022. It is wise to start now with carrying out the gap analysis with the aim of preparing a roadmap for designing the required “digital resilience risk management framework”, following which there is sufficient time for the further implementation of the required measures before the end of 2024.
In the context of the "Cybersecurity in the DIGITAL Europe" programme, many legislative initiatives have been started, such as adopting the Network and Information Security Directive 2 (NIS2), the European Cybersecurity Certification Scheme for Cloud Services (EUCS) as part of the EU Cybersecurity Act and the EU Data Governance Act.
[1] Raad van de EU, Persmededeling , 11 mei 2022, Digitale financiën: voorlopig akkoord over eDORA
[2] REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.