The Importance of De Nederlandsche Bank’s Good Practice Information Security in DORA Legislation

In the modern digital world, information security has become a crucial aspect to ensure the privacy and integrity of sensitive data. With the ongoing digitalisation of financial services, De Nederlandsche Bank (DNB) has developed a set of Information Security Good Practices. These Good Practices are designed to help the financial sector implement effective measures to manage information security risks. In addition to the Good Practices, the European Union introduced the Digital Operational Resilience Act (DORA), a comprehensive legislation created to strengthen the digital resilience of the financial sector.

In this article, we discuss both legislative frameworks, the relationship between the DORA legislation and DNB’s Information Security Good Practice, and how together they can contribute to robust information security design.

The DORA legislation

The DORA legislation aims to strengthen the resilience and security of financial institutions in the digital age. It emphasises the continuous availability, integrity, confidentiality, and resilience of information systems. The legislation imposes requirements on financial institutions’ internal processes and procedures, including establishing a documented operational resilience strategy and implementing effective security measures. The legislation came into force from January 2023, after which organisations have two years to comply. From January 2025, the DORA legislation will formally apply.

The DORA legislation aims to strengthen the resilience and security of financial institutions in the digital age.

DNB’s Good Practice Information Security

DNB’s Information Security Good Practice is a set of guidelines and recommendations for pension funds to implement robust information security policies. It focuses on several aspects, including risk management, employee awareness, technical security measures and incident response. The aim of the Good Practice is to help financial institutions identify, evaluate and manage information security risks, as well as ensure compliance with relevant laws and regulations. DNB carries out periodic assessments of pension funds to determine the extent to which they comply with Good Practice Information Security (the maturity level of the control measures). DNB provides the benchmark report on the results of these assessments.

The aim of the Good Practice is to help financial institutions identify, evaluate and manage information security risks, as well as ensure compliance with relevant laws and regulations.

Synergy between DORA and Good Practice Information Security

The DORA legislation and DNB’s Good Practice Information Security complement each other and contribute to a safer financial ecosystem. DORA lays down basic requirements that financial institutions must comply with, while the Good Practice provides detailed guidelines to implement these requirements. By implementing DNB’s Good Practice, financial institutions already broadly comply with the requirements of DORA.

Projective Group’s vision

For the execution of services in the pensions industry, the organisations involved collect and process (a lot of) information. Due to the ever-growing and connected digital world, the security of this information is crucial. More information security guidelines and regulations are a logical consequence. Organisations struggle to attract knowledge holders in this field and make investment choices to properly implement and sustainably implement information security. In addition, the translation of laws and regulations into practice is complex and requires a lot of effort. Close cooperation in which the translation of laws and regulations into practice is an important success factor to realise cyber resilience and security of pension funds and insurers.

How do we support our customers and cooperation partners?

We advise and support our clients and cooperation partners in implementing DNB’s Information Security Good Practice and the DORA legislation. We do this by informing or training organisations in the available guidelines and legal frameworks, translating these frameworks into a concrete approach so that they are properly implemented and focusing on synergy between compliance with national and international laws and regulations. Finally, we support our clients in sustainably securing information security and increasing cyber resilience.

By working together with our clients, we are committed to the information security, fairness and future-proofing of the Dutch pension and insurance market. Would you like more information on the implementation of this legislation? Get in touch with us. We are ready to answer your questions and help you further.

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.