Banking Regulation 2025

NETHERLANDS Law and Practice Contributed by: Johannes de Jong and Juliet de Graaf, Osborne Clarke N.V.

criteria, details of which are to be set out in secondary legislation, and report major ICT- related incidents to the competent authority. • Digital operational resilience testing: Chapter IV of DORA requires financial entities to put in place a sound and comprehensive digital operational resilience testing programme, comprising a range of assessments, tests, methodologies, practices, and tools. Testing should be applied on a risk-based approach by an independent party – either internal or external. In addition, significant financial entities will be required to carry out threat-led penetration testing (TLPT) every three years. • ICT third-party risk management: Chap - ter V of DORA covers the required policy documents, risk analysis, and contractual provisions with ICT third-party providers to ensure that financial entities maintain strong contracts with their ICT third-party provid - ers. DORA also requires that all contrac - tual arrangements for the provision of ICT services must be recorded in a register of information. Section II of Chapter V defines the oversight framework for critical third-party providers of ICT services. • Information sharing: Chapter VI of DORA pro - vides a framework for the sharing of informa - tion about cyber threats and vulnerabilities with other financial entities. In addition to the requirements described in the regulation, a number of topics are further elaborated in the Regulatory Technical Stand - ards (RTS), Implementation Technical Standards (ITS), and Guidelines (GL) developed by the three European Supervisory Authorities (ESAs). The DORA requirements will be applied in accordance with the principle of proportional - ity. This means that, when implementing DORA, financial entities should consider their size and

overall risk profile, as well as the nature, scale, and complexity of their services, activities, and operations. Supervision and Enforcement DORA places the supervision of compliance with its requirements on the respective compe - tent authorities responsible for overseeing the in-scope financial entities. For Dutch-licensed banks, this responsibility will be placed on the DNB. To this end, the DNB will have supervisory, investigatory, and sanctioning powers, includ - ing powers to request access to documents and data, carry out on-site inspections and inves - tigations, and impose administrative penalties and remedial measures. On 9 July 2024, the new EU banking package came into effect. This package, consisting of the Capital Requirements Regulation 3 (CRR3) and the Capital Requirements Directive 6 (CRD6), ensures the implementation of the final elements of the Basel III agreement. CRD6 introduces vari - ous interesting changes. CRD6 introduces a prohibition on the provision of cross-border banking services in the EU of a third-country (non-EU) institution. It requires institutions from third countries to establish a branch (third-country branch, TCB) in a mem - ber state and to apply for a licence for that TCB before they can provide “core banking servic - es” in the respective member state. It should be emphasised that for the applicability of the TCB regime, the qualification of the services – not the service provider – is decisive. Core bank - ing services in this context include deposit tak - 11. Horizon Scanning 11.1 Regulatory Developments EU Banking Package

417 CHAMBERS.COM

Powered by