DNB DORA Preparedness Survey: Why Dutch Financial Institutions Underestimated the Scope

The Dutch Financial Landscape

The Netherlands has a significant and diverse financial sector. According to publicly available data, the Dutch financial sector includes major internationally active banks (ING, Rabobank, ABN AMRO), a substantial insurance sector, pension funds among the largest in Europe, and a significant number of payment institutions and investment firms. DNB supervises approximately 300+ financial institutions of varying size and complexity.

Structural factors that shaped the readiness landscape:

• Outsourcing prevalence: According to DNB's public observations, the Dutch financial sector has a high degree of ICT outsourcing, with many institutions relying heavily on a relatively small number of ICT service providers for critical functions. This created a concentrated third-party risk landscape that DORA's Pillar IV provisions specifically address.
• Proportionality challenges: DORA applies to a wide range of financial entities, from large systemically important banks to smaller payment institutions. DNB noted that smaller institutions faced particular challenges in interpreting how DORA's requirements should be applied proportionally to their size, complexity, and risk profile.
• Legacy infrastructure: Several Dutch financial institutions operate on legacy core banking and insurance platforms. Documenting ICT asset inventories and dependency maps for these environments proved particularly challenging, according to industry reports.
• Board-level accountability: DORA Art. 5(2) requires that the management body "define, approve, oversee and be responsible for the implementation and review of" the ICT risk management framework. DNB observed that in many institutions, ICT risk was delegated to IT departments without sufficient board-level engagement, governance structures, or regular reporting.

DNB's supervisory approach (publicly communicated):

DNB took a proactive stance on DORA preparation, publishing guidance documents, hosting industry seminars, and conducting bilateral supervisory dialogues with institutions. According to DNB's public communications, the supervisor emphasized that DORA compliance would be assessed through the regular supervisory process and that material gaps could result in supervisory measures.

DNB also participated in the European Supervisory Authorities' (ESAs) work on DORA technical standards and guidelines, helping to shape the implementation framework that all EU financial entities would need to follow.

The Readiness Gap

In 2024, De Nederlandsche Bank (DNB) — the Dutch central bank and prudential supervisor — conducted assessments and published communications regarding the Dutch financial sector's preparedness for DORA's application date of January 17, 2025. According to DNB's public communications and supervisory publications, the assessment revealed that many institutions had underestimated both the scope and the operational complexity of achieving DORA compliance.

Key findings from DNB's public communications:

• Scope underestimation: Many institutions treated DORA as primarily an IT/cybersecurity regulation rather than an enterprise-wide operational resilience framework. According to DNB, institutions frequently underestimated the cross-functional governance changes required, particularly the board-level accountability for ICT risk management prescribed by Art. 5(2).
• ICT risk management framework gaps: DNB noted that while institutions had IT risk management processes, these were often not structured as the comprehensive framework DORA Art. 5-16 requires. Specific gaps included the lack of a documented ICT risk management framework approved by the management body, incomplete ICT asset inventories, and insufficient integration between ICT risk management and overall operational risk management.
• Third-party risk management immaturity: According to DNB's supervisory observations, many institutions' third-party risk management practices were procurement-centric rather than risk-centric. The regulatory requirement for a comprehensive register of information on ICT third-party arrangements (Art. 28(3)) proved more demanding than anticipated.
• Testing programme insufficiency: DNB observed that resilience testing was often limited to periodic disaster recovery exercises for core systems, falling short of the comprehensive digital operational resilience testing programme required by Art. 24-27.

DNB consistently emphasized in its public guidance that DORA is not a compliance checkbox exercise but a fundamental shift in how financial institutions must govern their ICT operational resilience.

Practical Implementation Challenges Identified

Based on DNB's public communications and industry reporting on the Dutch experience, several practical implementation challenges emerged that illustrate the gap between DORA's text and operational reality.

Challenge 1: ICT Risk Management Framework (Art. 5-16)

DORA requires a comprehensive ICT risk management framework that is:

• Documented, approved by the management body, and reviewed at least annually (Art. 5-6)
• Integrated into the overall risk management framework (Art. 6(5))
• Supported by a documented ICT asset inventory (Art. 8)
• Complemented by a learning and evolving process based on post-incident reviews (Art. 13)

Practical difficulties reported in the Dutch market:

According to industry reports and DNB's public observations, many institutions found that their existing IT risk processes, while functional, did not meet DORA's structural requirements. Common gaps included:

• Risk frameworks existed but were not formally approved at board level as standalone documents
• ICT asset inventories were incomplete, particularly for legacy systems and shadow IT
• Risk assessments were performed periodically rather than continuously
• Post-incident learning processes existed informally but lacked structured documentation and follow-through tracking

Challenge 2: Register of Information (Art. 28(3))

The requirement to maintain a register of all ICT third-party arrangements proved to be one of the most operationally demanding requirements. According to public reporting:

• Institutions discovered they had more ICT third-party arrangements than initially catalogued
• The level of detail required by the ESAs' template (published in the Implementing Technical Standards) exceeded what most institutions had readily available
• Sub-outsourcing chains were particularly difficult to document
• Classifying which arrangements supported "critical or important functions" required cross-functional collaboration between business, IT, risk, and procurement

Challenge 3: Proportionality in Practice

While DORA includes a proportionality principle, translating this into practice proved challenging for mid-size and smaller institutions. According to Dutch industry association communications:

• Smaller institutions lacked dedicated operational resilience teams
• The same technical standards applied to institutions of vastly different size and complexity
• Resource constraints meant prioritization was essential, but the regulation provided limited guidance on sequencing

Supervisory Outcomes and Sector Response

Based on DNB's public communications and Dutch financial sector reporting:

DNB's supervisory actions:

• DNB integrated DORA readiness into its regular supervisory assessments and bilateral meetings with supervised institutions throughout 2024.
• According to DNB's public priorities for 2025, operational resilience and DORA compliance remained key supervisory focus areas, with the supervisor indicating that it would assess compliance posture through on-site inspections and off-site monitoring.
• DNB published guidance documents and FAQs to assist institutions in interpreting DORA requirements, particularly around proportionality and the register of information.
• DNB participated in the coordinated supervisory approach agreed among European supervisors regarding the first phase of DORA implementation.

Sector response (publicly reported):

• Dutch financial industry associations organized working groups and knowledge-sharing sessions on DORA implementation, according to their public communications.
• Several major Dutch financial institutions publicly referenced DORA compliance programmes in their annual reports and investor communications.
• The Dutch experience highlighted the importance of early engagement with DORA requirements — institutions that started late reported significantly more difficulty meeting the January 2025 application date.
• Industry surveys indicated that DORA implementation costs varied significantly by institution size, with mid-size institutions facing proportionally higher compliance costs relative to their revenue than either the largest or smallest entities.

Relevance to the broader EU landscape:

The Dutch experience, as documented through DNB's public communications, is representative of challenges reported across other EU member states. The combination of scope underestimation, third-party register complexity, and proportionality interpretation challenges was echoed in supervisory communications from other national competent authorities during the same period.

The DNB preparedness assessment demonstrates that even in a well-regulated, digitally advanced financial market, the transition from existing IT risk management practices to DORA's comprehensive operational resilience framework requires significant organizational, governance, and technical effort.