• Home
  • News
  • Arendt & Medernach - Digital Operational Resilience Act (DORA) – the countdown for (re)insurers to get ready

Arendt & Medernach – Digital Operational Resilience Act (DORA) – the countdown for (re)insurers to get ready

Article written by Arendt & Medernach as part of the sponsorship of ACA Insurance Days 2023, whose content is the sole responsibility of its author.

Introduction

The financial sector has recently faced turbulent times in the form of pandemics and geopolitical conflicts, which has led to an acceleration in digitalisation and consequently, a growth in cyber risks, particularly for the (re)insurance industry.

In October 2021, as part of European Cybersecurity Month, the European Insurance and Occupational Pensions Authority (EIOPA) stressed that insurers are a natural target for cyberattacks due to the fact that they hold substantial amounts of protected and sensitive personal information(1). More recently, following the Russian invasion of Ukraine, the Commissariat aux Assurances (CAA) published an information note for the attention of all entities under its supervision in which it emphasised the need to reinforce “cautionary measures related to IT security (against cyber attacks)” (2).

As digitalisation is inevitable and unavoidable, and as cyber threats are likely to increase and become more sophisticated over time, the insurance industry, alongside the rest of the financial industry, must ensure that it is protected by strong digital operational resilience. The publication of the Digital Operational Resilience Act (DORA) by the European Commission is thus a direct response to this need, which will apply to the vast majority of the (re)insurance stakeholders.

DORA: an overview

DORA entered into force on 16 January 2023 and will apply from 17 January 2025. Its objective is to create an EU-level framework on digital operational resilience, whereby all EU financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. This includes cyberattacks and all other forms of ICT-related incidents.

The five pillars of resilience

Financial entities will have to comply with the five pillars of resilience enshrined in DORA:

  1. The first pillar concerns the implementation of a sound ICT risk management framework. In particular, (re)insurers need to ensure that their ICT governance “ticks the DORA boxes” and that their ICT documentation (policies, procedures, inventories and other tools) covers all mandatory topics. The management bodies are crucial to ensuring compliance with this requirement because DORA explicitly requires their members to actively update their knowledge and skills to be able to understand and assess ICT risks and their impact on the operations of the financial entity.
  2. The second pillar provides for ICT-related incident management, classification and reporting obligations.
  3. The third pillar describes the sound and comprehensive digital operational resilience testing framework that now must be established, maintained and reviewed as an integral part of the ICT risk management framework. The testing framework must also include procedures and policies on how to prioritise, classify and remedy all issues revealed through the tests.
  4. The fourth pillar details the key obligations for effective management of ICT third-party risk. Insurers must establish a strategy on managing ICT third-party risk (in particular by including a policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers) and maintain a register of information related to all contractual arrangements on the use of ICT services. In addition, specific key contractual provisions must be covered in agreements with ICT third-party providers, with a particular focus on critical or important third-party providers and control of the entire subcontracting chain.
  5. The fifth pillar provides the possibility, optionally, for financial entities to exchange cyber threat information and intelligence amongst themselves.

Additional policy products (DORA level 2)

The three relevant European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) have been mandated to jointly develop several policy instruments in 2 successive batches: 8 Regulatory Technical Standards (RTS), 2 Implementing Technical Standards (ITS) and 2 guidelines are planned to be released. Those technical standards aim to establish a sufficiently detailed and harmonised legal framework that complements the 5 DORA pillars.

On 17 January 2024, the ESAs published the first set of final rules for ICT and third-party risk management and incident reporting frameworks, following a public consultation that ran until 11 September 2023 and yielded 420 responses from market participants. The second batch is currently the subject of a public consultation that will continue until 4 March 2024, with the final publication on 17 July 2024.

Fines for non-compliance

DORA itself does not provide for fines in the event of failure to comply with the regulation, instead leaving EU Member States the freedom to determine “effective, proportionate and dissuasive” administrative penalties and remedial measures. However, Luxembourg bill of law 8291 implementing DORA, published in August 2023, states that (i) the CAA is the competent authority in Luxembourg with supervisory power to monitor the application of DORA by concerned entities, and that (ii) administrative fines for non-compliance with DORA may reach up to EUR 5,000,000 with regard to natural persons and up to EUR 5,000,000 or up to 10% of total annual turnover with regard to legal entities(3).

Less than a year left to get ready – can it be done?

On the one hand, (re)insurers are obviously not starting with a blank slate when creating their ICT risk management framework. (Re)insurers should already have a framework in place that has established risk-based ICT risk management measures partially in line with DORA, the Solvency II Directive, EIOPA Guidelines on information and communication technology security and governance(4), and other national initiatives(5)). Nevertheless, the clock is ticking, and DORA implementation is an essential item on the agenda for (re)insurance companies when considering their main operational transformation projects in 2024. Given its numerous and burdensome requirements, deciphering and implementing DORA will give rise to a significant workload for (re)insurers.

Firstly, carrying out a gap analysis appears to be a vital step to lay solid foundations for the DORA compliance project. Secondly, as part of their plan, (re)insurers will need to (i) conduct an in-depth review of their ICT policies, procedures and tools so as to adequately cover the 20 mandatory topics(6) and to prepare for the new reporting requirements (e.g. major ICT-related incidents) and to (ii) map all their ICT assets and ICT third-party service providers, so as to classify them depending on their criticality and to align the corresponding agreements, risk assessments, due diligence and monitoring with the list of requirements under DORA.

Footnotes:

  1. “Cyber risks: what is the impact on the insurance industry?”, News article, EIOPA, 15 October 2021
  2. Information note 22/5, CAA, 10 March 2022
  3. Bill of law 8291 on the digital operational resilience of the financial sector
  4. EIOPA-BoS-20/600
  5. For instance, CAA circular letter 21/15 amending and supplanting circular letter 20/13 on cloud outsourcing. 
  6. Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework.

Authors:

Find out more:

Cybersecurity & Information Protection > https://www.arendt.com/jcms/p_62117

Insurance & Reinsurance Law practice > https://bit.ly/ArendtInsurLaw

Share