Dutch Authority for the Financial Markets urges audit firms to adopt robust information security frameworks and shares supervisory strengthening points

The Dutch Authority for the Financial Markets published guidance for audit firms stressing that digital incidents such as data leaks highlight organisational vulnerabilities and that firms should further strengthen information security through an appropriate, future-proof framework. Drawing on insights from public interest entity audit firms, it sets out measures intended to help all licensed audit firms reinforce IT risk management. The update notes that many incidents stem from human error, insufficient monitoring, or unclear responsibilities, and argues that a robust risk management framework helps make information security sustainable and avoid being caught off guard by attacks. It points to De Nederlandsche Bank’s Good Practice on Information Security as an example, including its self-assessment tool to gauge maturity, and highlights practical areas for improvement: maintaining an up-to-date and cyclical ICT risk process (current risk registers, documented risk decisions and follow-up, risks kept within risk appetite), strengthening continuity management (regularly refreshed business impact analyses, broad chain testing beyond IT recovery, structured incorporation of lessons learned), improving configuration management (complete mapping of systems, API links, assets, relationships and process dependencies), adopting risk-based supplier oversight (formal onboarding and evaluations, including sub-suppliers), and embedding incident learning (clear incident definitions, standard post-incident analyses, documented remediation actions with follow-through). The AFM emphasises that an information security framework is only effective if it demonstrably works, and indicates it will continue engaging with the sector, with IT risk control remaining an AFM priority in the coming years.