How 3rdRisk supports AFM DORA compliance standards in 2026

In 2025, a lot of teams worked hard to get “DORA compliant”, but in 2026 having that label is not enough.

The AFM has made it clear that it is intensifying supervision of DORA in practice, with closer attention on the areas that tend to break under pressure: incident management, outsourcing, and reporting, plus testing digital resilience. In other words, it is time to show your workings, not just your policy documents.

If you are responsible for third-party riskmanagement (TPRM) or ICT governance, this is both bad news and good news.

The bad news: You will probably be asked for evidence that lives across multiple teams, tools, and suppliers.

The good news: The evidence is very buildable, as long as you turn it into a repeatable workflow.

This blog walks you through what AFM’s 2026 priorities mean in practice, what artefacts you will want ready, and how 3rdRisk helps make “audit-ready” feel like a normal Tuesday.

What the AFM is focusing on for DORA in 2026

AFM’s 2026 priorities include enhanced supervision of DORA compliance, with follow-up reviews aimed at incident management, outsourcing, and reporting. There is also explicit attention on testing digital resilience.

That combination matters because it shifts the conversation from “Do you have a framework?” to “Can you demonstrate operational control?”

In practical terms, think in four buckets:

1. Reporting readiness, especially the Register of Information (RoI) and your ability to produce it in the required format, on time.
2. Outsourcing evidence, including concentration risk, substitution options, exit planning, and visibility into subcontracting and fourth parties.
3. Incident capability, including clear thresholds, an escalation trail, and evidence you can detect, decide, and report without improvising.
4. Testing and remediation, meaning planned testing, results, and follow-up actions you can track and prove.

If you can show those four buckets clearly, you tend to have a much calmer supervisory experience.

The DORA Register of Information is now a practical supervisory test

Under DORA, the RoI is not meant to be a “vendor spreadsheet you dust off once a year”. It is a structured view of your contractual ICT dependencies, used by supervisors and the ESAs, including for the EU-wide process of designating critical ICT third-party providers.

In the Netherlands, AFM and DNB collect registers and forward them to the ESAs, so you are not just reporting “for the sake of reporting”. You are feeding an EU oversight mechanism.

What AFM expects for the 2026 submission

AFM has already set expectations around the 2026 RoI request cycle:

• Companies required to submit will have received an information request in December 2025.
• The deadline communicated by AFM is 22 March 2026.
• Submission must be in xBRL-CSV. AFM has stated it converted Excel files as a one-time service previously, but in this cycle organisations must submit in the correct format themselves. If AFM receives a different format, it cannot forward it and will request a new version.
• AFM’s RoI guidance also includes practical details: upload via the AFM portal, submit as a zip file, and follow specific naming conventions. It also warns that not all converters are suitable and you must generate xBRL-CSV (not iXBRL).

Errors are common. The EBA has published resources for RoI preparation and validation, including documentation of common error types and what leads to rejection (for example, foreign key constraint violations, primary key missing, or missing filing indicators).

That is why “we will fix it in the final week” is a risky strategy. The earlier you validate and clean your data, the better.

How 3rdRisk helps you keep the register complete all year

The simplest way to reduce RoI stress is to treat your RoI as an output, not a project. Meaning: if your third-party and contract governance is clean, your RoI export should feel routine.

3rdRisk supports that approach by giving you a central third-party catalogue and contract catalogue where you can register third parties, track multiple contracts per third party, segment risk profiles, assign ownership, and keep contract lifecycle information in one place. It also provides a protected audit log that records data changes(who changed what and when), which is exactly the kind of “show me the trail”proof supervisors and auditors value.

Inside a RoI workflow, that tends to look like this:

New ICT third-party need identified
→ Create third-party record and assign owner + risk profile
→ Create contract record and link to the third party
→ Map the contract to ICT service and supported business function
→ Set criticality tier and control expectations
→ Run due diligence and store evidence
→ Monitor changes and log issues + action plans
→ Validate RoI data quality and fix gaps early
→ Export RoI in xBRL-CSV, package as zip, apply naming conventions
→ Submit to AFM portal and respond to feedback

Example DORA RoI export, simplified through the 3rdRisk platform:

Now, it is only fair to say: your organisation still owns the quality of the data. But what good tooling does is remove avoidable friction:

• You know where the “source of truth” lives.
• You can see who owns which records.
• You can maintain an audit trail without chasing emails.
• You can export and validate earlier, not later.

Want a quick refresher on how to implement the DORA Register of Information? Then click this link for the full article.

Outsourcing and concentration risk: From policy text to an evidence-backed view

Outsourcing risk is not new. What is changing is the level of evidence expected, and the level of dependency many institutions have built up.

The ECB’s supervisory analysis highlights how significant institutions spend substantial budgets on outsourcing, including ICT services, and it explicitly flags concentration among a limited number of providers, plus increasingly complex supply chains (including sub-outsourcing).

In practice, an evidence-backed outsourcing and concentration view usually includes:

• A clear list of ICT services supporting critical or important functions (and why they are classified that way).
• Substitutability thinking:where switching is realistic, where it is not, and what mitigations exist.
• Exit strategies that are not generic boilerplate.
• Fourth-party awareness: you do not need to map every subcontractor on earth, but you do need to show you have asked, recorded, and monitored where it matters.

How 3rdRisk supports this is mostly about making the work structured:

• The third-party catalogue supports registering third parties, contracts, ownership, segmentation, and risk and compliance events in one place.
• Ecosystem assessments let you run structured assessments across your third parties, with follow-up via issues and action plans, in a central auditable process.
• Dashboards support visibility into segmentation and active contracts, and help track issues linked to third parties.

In the video below you can see how 3rdRisk helps you keep a clear overview of your third-party ecosystem:

Incident management and reporting: Prove you can detect, decide, report

Let’s be blunt: incident reporting is not just a box-tick exercise anymore, because third parties are a very real part of the incident story.

Verizon’s 2025 DBIR executive summary reports that third-party involvement doubled from 15% to 30% of breaches analysed. And KPMG’s research points to the real business impact when programmes are inefficient and fragmented, including reputational exposure.

In supervisory conversations, incident management evidence usually becomes credible when you can show:

• Detection to decision: when did you first detect, who assessed, and how was severity decided.
• Escalation: who was notified, when, and through what process.
• Reporting trail: what you reported externally (if applicable), and what supporting info you had at the time.

Post-incident follow-up: what changed afterwards (controls, contracts, supplier oversight), and how you tracked remediation.

3rdRisk supports this by helping teams structure incident logging and follow-up. For example, 3rdRisk describes incident management support as part of its DORA compliance optimisation guidance. On top of that, the platform audit log captures data changes across modules, supporting later evidence requests.

One practical tip that reduces pain: Link incidents to the same third-party and contract records you use for your RoI and outsourcing oversight. That turns an incident from a one-off story into a governance loop you can evidence later.

Testing digital operational resilience: Build a programme, not ad hoc tests

AFM has explicitly named testing digital resilience as a 2026 focus area.

Supervisors tend to look for:

• A planned set of tests (what, when, and why), with proportionality.
• Results and evidence attached to each test.
• Clear remediation tracking and closure.

3rdRisk’s internal control assessment process supports documenting test activities and attaching evidence, with optional validation and verification stages, and it provides an Issues tab to follow up on control deficiencies. The action plans module adds structure for remediation planning, including ownership, deadlines, and a timeline view.

This combination is useful because it turns testing into a repeatable cycle: test, evidence, conclude, remediate, re-test.

Governance and asset visibility: Show ownership of ICT-risk end to end

DORA governance rarely fails because people do not care. It fails because responsibility is fuzzy, data is scattered, and everyone assumes someone else has the master view.

A simple governance model for 2026 AFM supervision should make it obvious:

1. Who owns the RoI and its data quality.
2. Who owns outsourcing oversight and concentration reporting.
3. Who owns incident thresholds and internal escalation.
4. Who maintains the testing calendar and remediation tracking.
5. How management reporting is produced (and how often).

3rdRisk’s platform materials support role-based governance and cross-module traceability, for example through predefined roles, frameworks that can be associated with third parties and contracts, and an audit log that cannot be altered by users.

In the video below you can see how the platform provides an overview of the DORA specific frameworks, as well as the controls. The users can see who owns them, the frequency, result and more.

Conclusion

AFM’s 2026 direction of travel is clear:demonstrate that DORA works in practice, in the places where organisations often struggle.

If you want a lightweight way to pressure-test your readiness, here is a short checklist aligned to AFM’s focus areas:

• ‍RoI submission readiness: xBRL-CSV capability, naming conventions, zip packaging, validation and rework time baked into the plan, and a year-round data ownership model. ‍
• Outsourcing and concentration view: Critical services mapped, concentration hotspots visible, subcontracting understood where it matters, and exit plans that are actionable. ‍
• Incident reporting trails: Thresholds, escalation, decision logs, evidence attachments, and post-incident remediation tracked.‍
• Testing cadence: A programme (not ad hoc), with results and follow-ups that can be shown. ‍
• Governance evidence: Roles, responsibilities, and audit trails that make updates and decisions traceable.

If you recognise the “we can do this, but it takes too much manual stitching” feeling, that is exactly the gap 3rdRisk is built to close, especially with our DORA-specific framework.

Want a practical RoI and 2026 supervision readiness check? Book a 3rdRisk demo and we will walk through a sample RoI workflow, show how audit trails and evidence storage work, and help you identify the repeatable parts you can automate.