The Netherlands - Regulatory

To further clarify the contents and obligations under the EU Digital Operational Resilience Act (DORA), the European Commission has adopted delegated acts. On 23 and 24 October 2024, the European Commission adopted the following RTS and ITS through Delegated Regulations supplementing DORA:

• RTS specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and
• accompanying ITS with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat; and
• RTS on harmonisation of conditions, enabling the conduct of the oversight activities.

The ESMA Guidelines apply from 21 November 2024, ensuring that investors are protected, or better protected, against exaggerated claims related to environmental social and/or governmental (ESG) objectives. A fund including in its name words related to ESG objectives must meet a threshold of investments contributing to the ESG objective its name relates to. The Dutch Authority on Financial Markets (Autoriteit Financiele Markten) has published a statement that it expects Dutch AIFs and AIFMs to align with the ESMA Guidelines. Funds established before 21 November 2024 get a transitional period, meaning that they will have to comply with the Guidelines from 21 May 2025. Funds established after 21 November 2024 will have to comply with the Guidelines from the date of establishment.

Day-to-day and secondary policymakers of AIFs, and other financial entities, are subject to a fitness and propriety assessment when they start their function. As DORA expects financial entities to have digital operational resilience, their policy makers should be so as well. Therefore, the Dutch National Bank (De Nederlandsche Bank) will assess the knowledge and experience on ICT risk management as well as the contents of DORA in general.

The European Commission has adopted the ITS regarding the standard templates for the register of information. DORA requires financial entities to maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The ITS provides a standardised template for financial entities to use when establishing the register of information.

One of the DORA requirements is that financial entities, such as AIFs, maintain a register of information on their ICT third-party service providers. The AFM has published a statement regarding the timeline for sending the register. A request for information will be sent in February 2025 to all organisations that have an AFM licence and are subject to DORA. Before the information request is sent, entities will receive a message about the way in which AFM requests them to provide the information and the response period. Entities are expected to send their entire registers to AFM.