Dutch Authority for the Financial Markets identifies shortcomings in trading platforms’ DORA ICT risk management

The Dutch Authority for the Financial Markets has published findings from a thematic review of how trading platforms have implemented ICT risk management under the Digital Operational Resilience Act. It said the basic framework is generally in place at regulated markets, multilateral trading facilities and organized trading facilities, but further steps are needed to achieve full and sustainable compliance. Firms were urged to consider the review’s findings and recommendations in their further DORA implementation. The review found that DORA gap analyses are often too high level, which can leave relevant requirements out of scope and delay the identification of weaknesses. It also pointed to weaker coverage in parts of the ICT risk management framework, particularly security monitoring, access management, logging, emergency changes and continuity management. In addition, firms do not always distinguish clearly between policies and procedures, making it harder to show that requirements sit in formally approved policy. For intragroup ICT services, DORA-compliant policies and documentation have not always been adopted consistently at group level. The AFM said its supervision of digital operational resilience will continue to assess not only written policies and procedures but increasingly their application in practice, including whether measures work and support firms’ resilience. Where institutions do not fully meet the legal requirements, it said it will intervene.