On Nov. 28, NLD DNB outlined expectations for personal assessments.
NLD DNB said Digital Operational Resilience Act (DORA), sets specific requirements for knowledge and experience of persons who determine ICT risk management policy.
Follows Aug. 2024, DNB issued provisional DORA reporting format, see #223545.
Personal Assessments
When assessing the submitted assessment file, knowledge and experience in the field of ICT risk management will be taken into account.
Further explanation of this can be shared in the decision-making and considerations for the appointment and / or in the explanation of the suitability matrix.
DORA can be discussed in assessment interviews: a candidate can be asked about their knowledge of DORA, ICT risk management and digital resilience of the institution.
NLD DNB Expectations
NLD DNB expects candidate director, commissioner, supervisor, other (co-)policymaker i.a., to be able to indicate what is meant by DORA and what the most important requirements are that this legislation sets regarding digital operational resilience.
Depending on position, sufficient knowledge and experience in ICT risk management, ICT incidents, (periodic) testing of digital operational resilience, management of outsourcing risks, and cooperation on exchange of information on cyber threats.
Able to take responsibility for ICT risk management, adequately formulate strategy and policy and make verifiable decisions, or supervise them as an internal supervisor.
Assessment takes account of specific function, nature, size, complexity and risk profile of the institution and the composition and functioning of the collective.
Policymaker responsible for ICT risk management expected to have more in-depth knowledge, experience and competencies on DORA topics than general policymaker.
Effectiveness
DORA will apply and be part of personal assessments from Jan. 17, 2025.
