5 questions about Dora

The European Regulation Digital Operational Resilience Act (Dora) entered into force at the beginning of this year. Dora contains uniform requirements for the security of network and information systems. Insurers have two years to prepare, but sitting back is not useful advice, according to Anne-Mieke Dumoulin-Siemens of Ekelmans Advocaten.

1. What will happen to insurers and other financial service providers with Dora?

"Dora is a European Regulation. This is one of the strictest forms of regulation applicable to all EU countries. In other words, there is little to no room for personal interpretation. The Member States must therefore take over Dora one on one. The regulation came into force on 16 January 2023 and insurers must comply with the requirements on 17 January 2025. Time will tell whether that transition period is long enough, but of course that also depends on when insurers start it and how much they have to change."

2. Will a lot change for Dutch insurers?

"I can't say for sure yet. Countries now apply their own rules, which means that one member state is (cyber) safer than the other. Dora is mainly intended to set uniform requirements, so that everyone must meet the same requirements and there is no longer a weak link. But the frameworks still need to be fleshed out. For example, this year the European supervisory authorities will draw up regulatory technical standards (see box) that will have to colour in more detail the general rules. How should an insurer put its security in order? What about the access control rules? What does business continuity look like if an insurer is hacked? Such questions should be clarified in early 2024. I think one of Dora's most important points is that the management of an insurer is made responsible for the proper management of ICT risk. That means the board needs to know about the hat and the brim, but also to free up an appropriate budget for cybersecurity. Such rules are needed."

Regulatory standards
European supervisors shall develop regulatory standards for, inter alia:
- ICT security (access control, detection of anomalous activities, business continuity policy, recovery plans);
- content of contracts with (critical) providers of ICT services;
- criteria for serious ICT-related incidents;
- reporting of those serious ICT-related incidents;
- resilience tests;
- the format for the information register containing information on the use of ICT services.

3. Why? Are board members now insufficiently aware of cyber threats and risks?

"Awareness is desperately needed. I recently gave a speech on Dora to an international company in London. I started that story with the threats that are out there right now. Make no mistake, when you see how much damage cyber incidents do, you're shocked. That really runs into the billions worldwide and I'm not even talking about the business loss, because the company is down for days or weeks. Just calculate what it costs if an insurer has to build a completely new ICT system, because the old one can no longer be restored after a hack. Every company must have its own systems in order. Dora is nothing more or less than a logical response to all the threats out there. In this sense, it is also logical that insurers will become responsible for their ICT service providers in these new regulations. Many insurers use such providers and will therefore soon have to make clear agreements in contracts so that these providers meet the same requirements."

"The damage is in the billions worldwide"

4. Waiting a while to see what requirements the European Supervisory Authorities come up with this year is certainly not a good idea?

"I wouldn't recommend that, but that choice is up to the company. It also depends entirely on what the quality of your systems is now and what kind of company you are. If you are a small insurer, with a low risk profile, the requirements are also lower. Not surprising, of course, because with a large company the risk of damage is also higher. Insurers have long been used to complying with existing guidelines and IT risk management standards. I would say that you have to ensure that the ICT housekeeping at least complies with the current rules, so that you will have as little work as possible in the future."

5. What do you recommend to insurers?

"Start with an analysis of the risk and company profile. Where are we now? What is the use of ICT systems? How resilient are we right now? With a so-called GAP analysis you can already find out your strengths and weaknesses. Because even though we can't say yet what exactly will be standardized, it depends on how you are in the competition. If an insurer did a strength-weakness analysis six months ago, with a positive outcome, that is completely different than if it has a strongly outdated system that is glued together with adhesive tape. Based on the current rules, insurers must of course already comply with a certain safety framework. Let me put it this way. Those hackers never wait, they take advantage of the holes that companies themselves drop."

"Hackers never wait. They are taking advantage of the gaps that companies are dropping."