Streamlining DORA & Cybersecurity Reporting for 500+ Institutions

The Challenge

The AFM faced a dual crisis. First, their existing AFM Portaal was shipped with little usability testing, resulting in a fragmented ecosystem of ~60 statutory forms with high error rates and soaring support tickets. Concurrently, they faced a strict legal deadline to implement the EU’s Digital Operational Resilience Act (DORA) for cybersecurity reporting by November 2024, but possessed no digital infrastructure to intake or triage these massive reports.

The Approach

To rescue the AFM Portaal, I secured an R&D resources for dedicated user testing, which is an unusual step for the risk-averse organization. I established an empirical baseline using System Usability Scale (SUS) tracking and introduced a custom severity framework (Criticality × Impact × Frequency) to dictate the product roadmap. For the time-sensitive DORA system, I prioritized "familiarity over novelty," utilizing radically simple progressive disclosure for external users and mirroring existing internal workflows for AFM supervisors so they wouldn't have to learn new software during active cyber crises.

The Outcome

We successfully shipped the Netherlands' first DORA reporting system ahead of the regulatory deadline (November 14, 2024). The unified Portaal 2.0 consolidated fragmented sub-portals and significantly dropped error rates, establishing a standardized UX governance model for the entire AFM-supervised sector.

Lessons Learned

Data is the ultimate alignment tool for risk-averse executives; empirical frameworks completely stop subjective design arguments. Furthermore, when designing for extreme situations (like cyber crisis reporting), cognitive ease and system familiarity must always take precedence over innovative or trendy UI paradigms.