Complying with Dutch Authority for the Financial Markets and the Central Bank of the Netherlands regulations

What are the AFM and DNB?

The Dutch Authority for the Financial Markets (AFM) is the conduct supervisor for the financial markets in the Netherlands. It supervises the conduct of the entire financial market sector: savings, investment, insurance, loans, pensions, capital markets, asset management, accountancy and financial reporting. The AFM focuses on the provision of financial services and products by institutions and the way they deal with customers.

The Central Bank of the Netherlands (DNB) is the prudential supervisor and is responsible for financial stability in the Netherlands. The DNB supervises financial institutions’ financial health and contributes to the stable and reliable functioning of the financial sector: banks, pension funds, insurers and other financial institutions.

The AFM’s role is comparable to the SEC in the United States. The DNB, within the European System of Central Banks, determines and implements monetary policy and is responsible for prudential supervision of financial organizations for the Netherlands.

What compliance guidelines do these institutions enforce?

Both institutions have a role in enforcing regulations and guidelines that are often based on European directives and regulations. These can cover a wide range of topics, from capital requirements for banks (Basel III/CRD IV/CRR), insurance companies (Solvency II), to conduct and transparency requirements (MiFID II, IDD), anti-money laundering and counter-terrorism financing (AMLD), and many others.

Who enforces guidelines for data security and privacy in the Netherlands?

The AFM and DNB do not directly issue regulations on data security and privacy.

However, they do enforce compliance with relevant regulations in these areas as part of their supervisory roles.

In the Netherlands, data security and privacy in the financial sector are largely governed by the General Data Protection Regulation (GDPR), the European Union regulation that applies to all EU member states, including the Netherlands. The GDPR is comprised of requirements for the protection of personal data, including the need for appropriate security measures to protect such data.

Financial institutions in the Netherlands are also subject to the Network and Information Systems (NIS) Directive, another EU regulation that sets forth security requirements for operators of essential services and digital service providers.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the primary regulatory body for privacy and data protection in the Netherlands. They enforce the GDPR and other Dutch privacy laws and provide guidance on data protection matters.

What is the PSD2 all about?

Financial institutions may also be subject to specific security requirements set forth in sector-specific regulations, such as the Payment Services Directive 2 (PSD2) for payment services providers, which includes requirements for strong customer authentication and secure communication.

Key components of the PSD2 include:

• Open banking
• Third-party providers
• Strong Customer Authentication
• Enhanced Consumer Protection
• Security and Fraud Prevention

How Concentric AI can help Dutch-based organizations or companies doing business in the Netherlands

Much like for GDPR, Concentric AI provides a three-step approach to help organizations comply with Dutch guidelines: Discover and identify data, monitor and classify data for risk, and remediate data risk issues.

For a more detailed look at how Concentric can help companies comply with GDPR regulations, click here.

Below is a brief summary of our three-step approach.

In the discovery phase, Concentric AI uses advanced machine learning to scan and categorize sensitive data, regardless of where it’s stored. This helps companies understand what personal data they hold, the legal basis for processing it, the associated risks, and how to respond to data subject requests.

The monitoring phase involves continuous risk assessment. Concentric AI autonomously tracks how sensitive data is used, shared, and accessed — identifying risks from inappropriate permissions, risky sharing, and unauthorized access. Data classification, a crucial step for GDPR compliance, allows companies to identify, categorize, and organize their data based on its sensitivity and importance.

In the remediation phase, Concentric AI’s Risk Distance™ analysis uses deep learning to compare each data element with baseline security practices, identifying risks without rules and policies. The solution can remediate these risks as they occur, such as fixing access control issues or disabling sensitive file sharing.

Concentric Semantic Intelligence™ provides a categorized view of your data and a risk rating for all exposed data. This enables data security, privacy, and compliance teams to easily find and correct inappropriate sharing, unauthorized access, or wrong entitlements of sensitive data, effectively preventing data loss. The solution requires no upfront rules or large teams to operate — all the while reducing risk and protecting GDPR data efficiently.

Customers are successfully using our product in production for petabytes of data for:

• Data Security Posture Management 
• Data Access Governance with Remediation
• Data Classification
• Privacy Data Protection, including satisfying GDPR requirements

Book a demo today to see firsthand — with your own data — how Concentric AI’s solution can quickly and easily be deployed to manage data risk in your organization.