Global Trustee and Fiduciary Services Bite-Sized Issue 1 2025

10 QUICK LINKS AIFMD CRYPTOASSETS EMIR FINTECH MIFID II/MIFIR MMF NBFI OPERATIONAL RESILIENCE SUSTAINABLE FINANCE/ESG ASIA IRELAND LUXEMBOURG NETHERLANDS NORTH AMERICA UNITED KINGDOM Global Trustee and Fiduciary Services Bite-Sized | Issue 1 | 2025 OPERATIONAL RESILIENCE Dutch AFM: What to Expect with Regards to DORA Supervision On 7 January 2025 the Dutch Authority for the Financial Markets (AFM) published its DORA Update 6. All financial undertakings covered by DORAmust comply with the requirements in the Regulation as well as the further regulations by 17 January 2025. In its latest DORA update, the AFM explains what companies can expect in 2025. The AFM says it will discuss its own supervision and what requests for information companies can expect to receive from the European supervisory authorities. In order to ensure compliance with the requirements in DORA in a timely manner, the AFM says it is important for companies to have already started implementing the requirements in the Regulation and the Regulatory Technical Standards and to use the templates in the Implementing Technical Standards. Although the European Commission has yet to make a decision on some parts, it is strongly recommended by the AFM that companies start implementing these requirements now. These further regulations are expected to remain largely unchanged. The AFM says that the entry into force of DORA signals the commencement of its supervisory activities. They include initiating investigations to determine whether companies meet the specified requirements, handling serious ICT incident reports and checking permit applications. The AFM says that the reviews it will carry out are either thematic or institution-oriented. In a thematic review, it looks at several parties to see whether the company concerned complies with a specific aspect of the regulations. In an institution-oriented review, the AFM says it will request a variety of documents related to ICT security from one company. In addition, companies must report serious ICT incidents and any agreements with ICT service providers to the AFM. It says financial undertakings will have access to the DORA page in its portal from 17 January. This will be part of the AFM Portal to which companies already have access. As part of the licence application process, the AFMwill also verify whether the DORA requirements are being met. This is something the AFM says it has been doing since 1 August 2024. The purpose in doing this was to support companies in meeting the DORA requirements in a timely manner. Link to Full AFMDORA Update 6 here CP24/28: Operational Incident and Third-Party Reporting On 13 December 2024, the Financial Conduct Authority (FCA) published a consultation on proposals for firms to report operational incidents and their material third party arrangements. The FCA says that the proposals, developed with the Prudential Regulation Authority and the Bank of England, aim to bolster its operational resilience framework for firms and supports its strategic commitment to minimise the impact of operational disruptions such as cyber-attacks or IT outages. These proposals seek to establish a consistent, sufficient, and timely framework for reporting operational incidents and material third-party arrangements. The FCA aims to achieve this by proposing clearer definitions of what constitutes an ‘operational incident’, when these should be reported, and a standardised template. The FCA says this will set clearer expectations and ensure a level playing field for firms to operate within. The consultation period closes on 13 March 2025. Link to CP24/28 here