What does the AFM Agenda 2026 mean for your organization?

Those who lack control now will soon be left behind

The Netherlands Authority for the Financial Markets (AFM) recently published its Agenda 2026, and there can be no doubt about it: digital resilience, responsible use of AI, and tackling financial crime are high on the agenda. Supervision is becoming more intensive, data-driven, and more European-oriented. For financial institutions, this means one thing: being demonstrably in control is no longer an option, but a requirement.

From policy to practice

The AFM has identified three key priorities that will receive explicit attention in 2026. Each of these themes requires control over risks, processes, and controls.

AI: responsible use and the ability to explain
AI offers opportunities for efficiency and better decision-making, but also introduces new risks. Think of opaque algorithms, data bias, and unintended customer impact. The AFM expects organizations to fully map their AI applications, including model risks, data quality, and decision logic. Incidents must also be actively reported. This requires more than individual policy documents. Organizations must have continuous insight into where AI is being deployed, the associated risks, and how control measures are demonstrably effective.
Digital Resilience: DORA in practice
With the Digital Operational Resilience Act (DORA), the focus shifts from planning to action. Incident management, outsourcing, and testing of digital resilience are being concretely assessed. The dependence on (external) IT suppliers and supply chain partners makes this particularly complex. The key question for organizations: can you demonstrate that your critical processes are continuously under control, even when something goes wrong?
Financial Crime: A targeted approach to fraud and money laundering
Investment fraud and money laundering continue to undermine confidence in the financial sector. The Netherlands Authority for the Financial Markets (AFM) is intensifying its supervision, collaborating with banks, and preparing for European AMLA regulations. Institutions are explicitly held accountable for their gatekeeper role and risk-based approach.

The key principle here is that those who do not systematically monitor risks are lagging behind.

Gaining and maintaining control requires an integrated approach

What these three themes have in common is the need for current, coherent, and demonstrable insight. Disparate spreadsheets, manual checks, or fragmented tools fall short in this regard. Supervisory authorities expect organizations to have real-time insight into their risks and control measures.

Therefore, more and more organizations are opting for an integrated GRC approach, combining risk management, compliance, information security, and privacy. By continuously monitoring controls instead of periodically reviewing them, peace of mind and confidence is created: for management, auditors, and supervisory authorities.

Looking ahead pays off

The AFM Agenda 2026 makes it clear that supervision will not only become stricter, but also smarter. Organizations that invest now in oversight, automation, and data-driven working create a strategic advantage. Not because they have to, but because it helps them manage better, adjust more quickly, and avoid surprises.

Or, as AFM Chair Laura van Geest puts it: “Confidence in the financial markets cannot be taken for granted.” Ensuring that your organization is demonstrably in control is no longer just a checkbox, it is a prerequisite for sustainable success.

Share this article