Strengthening the industry’s cyber resilience: Insights into the implementation of the Digital Operational Resilience Act

Cyber

Share

24-1-2025

Opinion by Florence Lustman, President, France Assureurs

The increasing digitalisation of the economy has sparked concerns among policymakers, businesses, citizens, and entire sectors, as this trend also increases the threat of cyber risk. With the adoption of the 2016 Network and Information System (NIS1) Directive, the EU saw its first-ever cybersecurity and reporting requirements for operators of essential services and digital service providers across the European Union. As such, NIS1 has played a crucial role in enhancing cybersecurity and resilience in the EU. However, it created an uneven playing field in the insurance sector, as some countries included insurance companies when transposing the directive (such as France for instance) and others did not.

When the European Commission put forward a proposal for a revision of the NIS (NIS2) Directive in September 2020, it also launched a proposal for a Digital Operational Resilience Act (DORA), setting a framework for cyber-resilience in the financial sector.

DORA was adopted in December 2022 and welcomed by insurers because it harmonises the practices among all European insurers and leads the sector towards a common, high cybersecurity level, based on a framework that was specifically designed for the financial sector. In practice, it means that NIS2 does not apply to insurers, but that instead only DORA does, even in the few countries, including France, which had decided to make use of the option to require a certain number of insurers to comply with the requirements of NIS1. DORA is therefore a positive evolution for the industry.

Development of level 2 measures

The legislative process was however not finished with the DORA adoption, as the European Supervisory Authorities (ESAs) then began work on the "level 2 measures" to support the implementation of the act. These measures consisted of a number of Regulatory Technical Standards (RTS),Implementing Technical Standards (ITS) and Guidelines developed over the past 2 years by the ESAs, the European Commission and with input from industry through consultations

Within this framework and considering the current context of high cyber-attack risks, the insurance sector has since 2023 devoted considerable resources and energy towards compliance with DORA, performing gap analyses and defining roadmaps. Most insurers were able to partly build on existing practices, since the proposed level 2 measures take into consideration already existing European and international standards, which was a strong request from the market. However, full compliance with DORA for January 2025 (the legal requirement) still represented a major challenge, both in terms of the technical, and IT-related aspects of the requirements, as well as in terms of the contractual and risk management-related aspects.

The insurance industry keenly contributed to the work of the European Supervisory Authorities in developing the level 2 measures. The quality of the work that was done by the authorities is appreciated by companies, as well as the major effort the ESAs made to establish a dialogue with the industry and explain the reasoning behind the texts during very informative public events. This dialogue also took place at national level, where many insurance federations and companies had the opportunity to discuss the draft RTS and ITS with their national supervisory authorities. All these exchanges were fruitful and supported the industry in its efforts to comply with this new comprehensive and robust framework.

The level 2 measures were released in two main "batches", covering several key points for companies. The first batch focused on risk management tools, methods, process and policies, major incident classification, the register of information on contractual agreements with providers, and the policy on the use of ICT services supporting critical or important functions. The second batch focused on the conditions for subcontracting ICT services supporting critical or important functions, defining the timeframe and the reports of major incidents notification, and creating the DORA threat-led penetration testing (TLPT) framework, based on an already existing European framework (TIBER-EU). Alongside these 'batches' of measures, the ESAs also ran consultations regarding the conduct of oversight activities, joint examination teams and determining oversight fees.

The ESAs further prepared a delegated act on the criteria for the designation of critical ICT third party service providers. Establishing the list of the most critical ICT third party providers will be a main activity for the ESAs to undertake in 2025, based on the information provided by companies across Europe through their new register of information reporting under DORA.

Considering the impact of the proposed measures, through the consultation, the industry strongly encouraged the ESAs to integrate more proportionality throughout the text of the level 2 measures, and to ensure a more risk- based approach in view of ensuring that all entities of different sizes in all markets would be able to comply with the regulation. Another key point raised was the need to avoid excessive complexity, and the need to duly respect the mandate given in the DORA level 1 text.

Beyond January 2025 - the road ahead

Compliance with DORA by January 2025 represented a challenge for financial entities, which was exacerbated by the fact that many of the level 2 measures were only finalised late in the process, including the final text of the standard on the register of information - crucial to a company managing and recording their ICT third party risks - finalised at the end of December 2024. Two standards, on subcontracting and threat-led penetration, remain to be published at this time, which complicates the implementation for companies.

The industry also continues to seek legal clarity over certain aspects of the measures, to ensure that companies can have the answers they need to comply with the various standards and legislation. To further support companies, the industry urges the ESAs and the European Commission to swiftly adopt the remaining measures and provide the necessary clarity and responses to the questions raised so that all companies can swiftly adhere to the required high level of cybersecurity across the Union.

Back