Banking Regulation 2025

NETHERLANDS Law and Practice Contributed by: Johannes de Jong and Juliet de Graaf, Osborne Clarke N.V.

creation for companies and the role of man - agement boards in developing strategies and procedures to achieve this goal. • Sustainable Finance Disclosure Regulation (SFDR): Banks providing portfolio manage - ment or investment advice services are sub - ject to disclosure requirements following from SFDR. These disclosures cover, besides ESG topics, the integration of sustainability risks into the bank’s investment processes, and how the bank considers adverse impacts that investments may have on sustainability. • Taxonomy Regulation: This establishes crite - ria for identifying and classifying the sustain - able economic activities of a bank, used for the purposes of other sustainability regula - tions (such as CSRD and SFDR). The Digital Operational Resilience Act (DORA) is a European regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 to Dutch licensed banks. DORA is part of a larger European digital finance package that aims to ensure financial stability and consumer protection through technological development. This digital finance package also includes a European digital finance strategy, regulation on markets in crypto-assets (MiCAR), and regula - tion concerning market infrastructures based on distributed ledger technology. DORA has direct effect in the member states and aims to harmonise the rules relating to digi - tal operational resilience for the financial sector. Besides Dutch-licensed banks, it applies to a total of 21 types of financial entities, including payment institutions, investment firms, crypto- asset service providers, and the information and 10. DORA 10.1 DORA Requirements

communication technology (ICT) third-party pro - viders that are critical to the financial infrastruc - ture, bringing technology vendors under direct financial supervision. Each of these entities must align their operational and risk management pro - cesses with DORA’s stringent requirements to effectively manage and mitigate ICT risks. Five Pillars of DORA DORA is built on five key pillars, each addressing different aspects of digital operational resilience for financial institutions: • ICT risk management: Chapter II of DORA requires financial entities to have in place an elaborate system of processes, controls, digi - tal operational resilience strategies, policies, and procedures, ICT protocols, and tools to manage their ICT risks. These measures, which together form the DORA risk manage - ment framework, need to address aspects such as governance and organisation; ICT risk management framework; ICT systems, protocols, and tools; identification; protec - tion and prevention; detection; response and recovery; back-up policies, restoration and recovery; learning and evolving; and crisis communication plans. • Moreover, particular emphasis is placed on the role of management bodies in ensur - ing compliance, and ensuring that ICT risk management is embedded in their internal governance and control framework. • ICT incident management: Chapter III of DORA requires financial entities to establish and implement a specific ICT-related incident management process to detect, manage, and notify ICT-related incidents, and to record them together with significant cyber threats. Financial entities will also have to classify ICT-related incidents and determine their impact in accordance with a set of prescribed

416 CHAMBERS.COM

Powered by