De DORA-verordening van de EU: vormt deze een basis voor bestuurdersaansprakelijkheid in Nederland?

Op 17 januari 2025 is de Digital Operational Resilience Act (DORA) in werking getreden, waarmee doorlopende verplichtingen voor financiële entiteiten zijn geïntroduceerd, zoals het bijhouden van informatie-registers, onder actief toezicht van de Autoriteit Financiële Markten (AFM). DORA is een EU-verordening die van toepassing is op financiële entiteiten zoals beleggingsondernemingen, fondsen, kredietinstellingen, betaalinstellingen, elektronische-geldinstellingen, aanbieders van cryptodiensten, verzekeringsmaatschappijen, verzekeringsintermediairs en hun ICT-dienstverleners van derden. Van toepassing in alle EU-lidstaten, heeft DORA als doel de digitale operationele weerbaarheid van de financiële sector te versterken. Dit Engelstalige artikel van advocatenkantoor CMS geeft een overzicht van het nieuwe ICT-risicobeheerraamwerk dat DORA oplegt aan de bestuursorganen van financiële entiteiten en bespreekt hoe dit gevolgen kan hebben voor bestuurders in Nederland en hun potentiële aansprakelijkheidsrisico’s.

18 februari 2025

Cyberweerbaarheid

Risicofactoren

Compliance

Responsibilities of the management body under DORA

DORA introduces new compliance obligations regarding ICT risk management, ICT-related incident reporting, resilience testing and third-party outsourcing. DORA assigns the responsibility for the implementation of all arrangements related to the ICT risk management framework specifically to the management body of a financial entity, heightening the accountability of management bodies and their potential liability risks.

Under DORA, a management body will have the following obligations:

Manage the ICT risk by putting in place policies to ensure high standards of availability, authenticity, integrity and confidentiality of data;
Set clear roles and responsibilities for all ICT-related functions, which include establishing appropriate governance and arrangements to ensure effective and timely coordination among those functions;
Bear the overall responsibility for setting and approving the digital operational resilience strategy;
Approve, oversee and review the implementation of the ICT business continuity policy and ICT response and recovery plans, and approve and review the entity's ICT internal audit plans, ICT audits and material modifications;
Set budgets for the fulfilment of the entity's digital operational resilience needs;
Approve and review the entity's policy on arrangements regarding the use of ICT services provided by ICT service providers; and
Put in place internal reporting channels that include arrangements with ICT third-party service providers and put in place any relevant planned material changes in relation to these ICT third-party service providers.

In addition, financial entities should put a person in charge of monitoring arrangements with ICT third-party service providers. This includes overseeing risk exposure and documentation regarding such arrangements. In practice, this would often mean supplementing existing contracts between the financial entity and its ICT third-party service providers by adding an addendum to ensure that these are DORA compliant.

Finally, members of the management body must keep their ICT knowledge and skills up to date so that they understand and assess ICT risks and their impact on the entity's operations. This would include an obligation to regularly attend training courses. By adhering to these obligations, the management body ensures that the financial entity maintains a high level of digital operational resilience, thereby protecting its operations and stakeholders from digital disruptions.

Directors' liability under Dutch law

The management body, as defined in DORA, would typically include the board of directors of a company under Dutch law. The Dutch Civil Code requires that the board of directors is responsible for the management of the company, thereby acting in its best interest. The directors have a duty of care in relation to the company and its stakeholders for the proper performance of their tasks.

A distinction should be made between liability towards the company (i.e. internal liability) and liability towards third parties (i.e. external liability). The legal basis for holding the board of directors internally liable is “mismanagement”. For a director's conduct to qualify as mismanagement, there must be serious negligence on the part of the director, for which a high threshold applies.

An important legal basis for establishing external liability is tort, for which a comparable standard with high thresholds applies as it does for internal liability. When substantiating tort, its open norms are often supplemented with soft law from international treaties. When the responsibilities and obligations of directors become more detailed and specific, it appears to become easier to hold them accountable and, in case of non-compliance, potentially liable. We expect the continuation of this trend, which already started with lawsuits against directors based on ESG guidelines and anti-money laundering regulations. Currently, this heightened accountability may also extend to ICT risk management.

Accountability management body under DORA

Failure by directors to comply with their responsibilities and obligations set out in DORA could result in additional accountability and liability risks. This is because DORA assigns the responsibility for the implementation of all arrangements related to the ICT risk management framework specifically to the management body. Stakeholders of the company may use or exploit this to put pressure on directors of a financial entity.

For example, dissatisfied customers (often consumers) affected by ICT disruptions may consider taking legal action not only against the company based on the existing contractual relationship, but also against the company's directors based on tort. To substantiate tort, any non-compliance by a director with DORA may be used to argue that a duty of care has been breached by the director towards the company's customer with the aim to establish personal liability.

In addition, shareholders of the company may use their rights in the general meeting of the company to compel the board to take action on ICT risk management to comply with DORA. They can do this, for example, by placing items on the agenda or exercising their right to speak or casting their voting rights (when the remuneration policy of the directors is to be established).

Enforcement by the AFM

Besides the potential risk for directors to be liable towards third parties, non-compliance with the responsibility for the implementation of all arrangements related to the ICT risk management framework may lead to a fine imposed by the AFM on the financial entity as offender. In addition, or alternatively, the AFM could impose fines on directors personally. To do so, the director must have exercised de facto management regarding the offence. De facto management may be active or it may more passive if, for example, the director is aware of the prohibited conduct but fails to act against the offence.

The AFM can also hold directors personally liable on the basis of tort. As such, the AFM must meet the same threshold when establishing liability as any other stakeholder (see 'Directors' liability under Dutch law' above). The AFM must prove that there is serious negligence on the part of the director. From case-law, it can be derived that the AFM will only impose liability for tort on directors under specific circumstances.

Conclusion and practical guidance

DORA raises the stakes for financial entities, making it crucial for them to ensure they are well-prepared to navigate through the DORA landscape. Therefore, it is essential to keep DORA on the agenda, monitor and assess the arrangements in place with ICT third-party service providers, ensure adequate training for the board on ICT risks, and maintain the registers of information. Failure to do so could result in additional liability risks for both the financial entity and its directors.

Over de auteurs

Kilian Rowel

Kilian Rowel is a member of the Corporate/M&A group of our firm (CMS) in Amsterdam. He is active in the capital markets and transaction practice, at both national and international level. Kilian advises companies on European financial legislation (such as MiFID, AIFMD and the Prospectus Regulation), on the establishment of platforms, fund structures and the issuance of securities and digital assets. He also advises on all regulatory aspects of a transaction.
Maurits Rabbie

Maurits Rabbie is a member of the Corporate/M&A group of our firm (CMS) in Amsterdam. He specialises in corporate and commercial litigation. In addition he is a member of the Energy & Climate Change team and has extensive expertise in litigation in this sector. Maurits is experienced in conducting arbitral proceedings (NAI and ICC) and proceedings before the Dutch courts. Maurits is a member of the Dutch Corporate Litigation Association and ICC Netherlands.
Clair Wermers

Clair Wermers (CMS) is active in the capital markets and transaction practice, at both a national and international level. She has particular experience in M&A and asset transactions of licensed companies. She advises clients on all regulatory aspects of a transaction, including discussions with the regulators, market abuse regulations and notification requirements. Clair is also highly involved in Fintech and is a member of the Board of Advisors of 2Tokens, a public-private partnership that aims to set clear rules and guidelines on how to deal with tokenisation.

Gerelateerd nieuws

Nieuwe kabinetsplannen: topambtenaren moeten nauwer verbonden zijn met de maatschappij

1 april 2025

Topambtenaren die samen de Algemene Bestuursdienst (ABD) vormen, spelen een cruciale rol in de dagelijkse sturing van de belangrijke uitdagingen waar Nederland voor staat. In het regeerprogramma is aangegeven dat er een hervormingsagenda voor versobering van het ABD-stelsel zal worden opgesteld. In het werk van topambtenaren zal het constant betrekken van het burgerperspectief en dat van de uitvoering meer centraal komen te staan. Ook wordt het rechtsstatelijk besef en ambtelijk vakmanschap vergroot.

Bonus topmanagers vaker gekoppeld aan duurzaamheid

31 maart 2025

Uit vervolgonderzoek van KPMG blijkt dat een groeiend aantal bedrijven duurzaamheidsdoelstellingen koppelt aan de beloning van leidinggevenden. In mei 2024 bleek al dat grote bedrijven in Nederland topmanagers bonussen geven voor prestaties op sociaal vlak, milieu en verantwoord bestuur. Het nieuwe onderzoek, met 375 beursgenoteerde bedrijven uit 15 landen, toont aan dat duurzaamheid wereldwijd een steeds belangrijkere rol speelt in de beloningsstructuren van de raad van bestuur. Bij Nederlandse bedrijven blijft het percentage bedrijven dat de doelstellingen hanteert (88%) gelijk, maar het aantal gekoppelde onderwerpen is sterk toegenomen.

Werkgever verliest zaak: werknemer niet verantwoordelijk voor fraude van collega

11 maart 2025

In een recente rechtszaak heeft het gerechtshof Arnhem-Leeuwarden besloten dat een werknemer van een autobedrijf niet aansprakelijk is voor fraude die door een collega is gepleegd. Het gaat om een zaak waarbij een schadecentrum, wat onderdeel is van werkgever, slachtoffer werd van fraude door de financieel directeur. Werkgever probeerde vervolgens een andere werknemer, die hoofd van de administratie was, verantwoordelijk te stellen voor de schade. In dit artikel van Elke Hofman-Bijvank (advocaat bij De Haij & van der Wende Advocaten) wordt besproken waarom de rechter tot dit oordeel kwam en welke lessen werkgevers hieruit kunnen trekken.

Klokkenluiderswet twee jaar van kracht: wat werkt en wat niet?

4 maart 2025

De Wet bescherming klokkenluiders (Wbk), sinds 18 februari 2023 van kracht ter implementatie van de Europese Klokkenluidersrichtlijn, is recent geëvalueerd in een invoeringstoets door Stichting SEO Economisch Onderzoek. Deze toets, in combinatie met de resultaten van de Werkgevers Enquête Arbeid (WEA) van TNO, biedt inzicht in de werking en impact van de wet in de praktijk.

Meer nieuws