Op 17 januari 2025 is de Digital Operational Resilience Act (DORA) in werking getreden, waarmee doorlopende verplichtingen voor financiële entiteiten zijn geïntroduceerd, zoals het bijhouden van informatie-registers, onder actief toezicht van de Autoriteit Financiële Markten (AFM). DORA is een EU-verordening die van toepassing is op financiële entiteiten zoals beleggingsondernemingen, fondsen, kredietinstellingen, betaalinstellingen, elektronische-geldinstellingen, aanbieders van cryptodiensten, verzekeringsmaatschappijen, verzekeringsintermediairs en hun ICT-dienstverleners van derden. Van toepassing in alle EU-lidstaten, heeft DORA als doel de digitale operationele weerbaarheid van de financiële sector te versterken. Dit Engelstalige artikel van advocatenkantoor CMS geeft een overzicht van het nieuwe ICT-risicobeheerraamwerk dat DORA oplegt aan de bestuursorganen van financiële entiteiten en bespreekt hoe dit gevolgen kan hebben voor bestuurders in Nederland en hun potentiële aansprakelijkheidsrisico’s.
Responsibilities of the management body under DORA
DORA introduces new compliance obligations regarding ICT risk management, ICT-related incident reporting, resilience testing and third-party outsourcing. DORA assigns the responsibility for the implementation of all arrangements related to the ICT risk management framework specifically to the management body of a financial entity, heightening the accountability of management bodies and their potential liability risks.
Under DORA, a management body will have the following obligations:
Manage the ICT risk by putting in place policies to ensure high standards of availability, authenticity, integrity and confidentiality of data;
Set clear roles and responsibilities for all ICT-related functions, which include establishing appropriate governance and arrangements to ensure effective and timely coordination among those functions;
Bear the overall responsibility for setting and approving the digital operational resilience strategy;
Approve, oversee and review the implementation of the ICT business continuity policy and ICT response and recovery plans, and approve and review the entity's ICT internal audit plans, ICT audits and material modifications;
Set budgets for the fulfilment of the entity's digital operational resilience needs;
Approve and review the entity's policy on arrangements regarding the use of ICT services provided by ICT service providers; and
Put in place internal reporting channels that include arrangements with ICT third-party service providers and put in place any relevant planned material changes in relation to these ICT third-party service providers.
In addition, financial entities should put a person in charge of monitoring arrangements with ICT third-party service providers. This includes overseeing risk exposure and documentation regarding such arrangements. In practice, this would often mean supplementing existing contracts between the financial entity and its ICT third-party service providers by adding an addendum to ensure that these are DORA compliant.
Finally, members of the management body must keep their ICT knowledge and skills up to date so that they understand and assess ICT risks and their impact on the entity's operations. This would include an obligation to regularly attend training courses. By adhering to these obligations, the management body ensures that the financial entity maintains a high level of digital operational resilience, thereby protecting its operations and stakeholders from digital disruptions.
Directors' liability under Dutch law
The management body, as defined in DORA, would typically include the board of directors of a company under Dutch law. The Dutch Civil Code requires that the board of directors is responsible for the management of the company, thereby acting in its best interest. The directors have a duty of care in relation to the company and its stakeholders for the proper performance of their tasks.
A distinction should be made between liability towards the company (i.e. internal liability) and liability towards third parties (i.e. external liability). The legal basis for holding the board of directors internally liable is “mismanagement”. For a director's conduct to qualify as mismanagement, there must be serious negligence on the part of the director, for which a high threshold applies.
An important legal basis for establishing external liability is tort, for which a comparable standard with high thresholds applies as it does for internal liability. When substantiating tort, its open norms are often supplemented with soft law from international treaties. When the responsibilities and obligations of directors become more detailed and specific, it appears to become easier to hold them accountable and, in case of non-compliance, potentially liable. We expect the continuation of this trend, which already started with lawsuits against directors based on ESG guidelines and anti-money laundering regulations. Currently, this heightened accountability may also extend to ICT risk management.
Accountability management body under DORA
Failure by directors to comply with their responsibilities and obligations set out in DORA could result in additional accountability and liability risks. This is because DORA assigns the responsibility for the implementation of all arrangements related to the ICT risk management framework specifically to the management body. Stakeholders of the company may use or exploit this to put pressure on directors of a financial entity.
For example, dissatisfied customers (often consumers) affected by ICT disruptions may consider taking legal action not only against the company based on the existing contractual relationship, but also against the company's directors based on tort. To substantiate tort, any non-compliance by a director with DORA may be used to argue that a duty of care has been breached by the director towards the company's customer with the aim to establish personal liability.
In addition, shareholders of the company may use their rights in the general meeting of the company to compel the board to take action on ICT risk management to comply with DORA. They can do this, for example, by placing items on the agenda or exercising their right to speak or casting their voting rights (when the remuneration policy of the directors is to be established).
Enforcement by the AFM
Besides the potential risk for directors to be liable towards third parties, non-compliance with the responsibility for the implementation of all arrangements related to the ICT risk management framework may lead to a fine imposed by the AFM on the financial entity as offender. In addition, or alternatively, the AFM could impose fines on directors personally. To do so, the director must have exercised de facto management regarding the offence. De facto management may be active or it may more passive if, for example, the director is aware of the prohibited conduct but fails to act against the offence.
The AFM can also hold directors personally liable on the basis of tort. As such, the AFM must meet the same threshold when establishing liability as any other stakeholder (see 'Directors' liability under Dutch law' above). The AFM must prove that there is serious negligence on the part of the director. From case-law, it can be derived that the AFM will only impose liability for tort on directors under specific circumstances.
Conclusion and practical guidance
DORA raises the stakes for financial entities, making it crucial for them to ensure they are well-prepared to navigate through the DORA landscape. Therefore, it is essential to keep DORA on the agenda, monitor and assess the arrangements in place with ICT third-party service providers, ensure adequate training for the board on ICT risks, and maintain the registers of information. Failure to do so could result in additional liability risks for both the financial entity and its directors.
