The final proposal for the regulatory technical standards (RTSs) was published today. These are measures that you must take as an insurer to comply with the Digital Operational Resilience Act (DORA).
DORA sets uniform requirements that all financial institutions must meet in order to improve resilience against cyber threats throughout Europe. These requirements have now been translated into measures to be taken through so-called regulatory technical standards. These measures are:
- for a company's IT security (access management, detection of anomalous activities, business continuity policy, recovery plans)
- the content of contracts with (critical) ICT service providers. Under the new regulations, insurers are responsible for the providers of their ICT services. Contracts must contain clear agreements so that providers meet the DORA requirements
- with criteria for major ICT-related incidents
- for the reporting of major ICT-related incidents
- to perform resilience tests
- for a template for the information repository containing information on the use of ICT services.
Plea for proportional rules
In September 2023, the Association, together with Insurance Europe, announced that the first set of draft lower regulations does not take sufficient account of the specific size and risks of insurers. The Association has argued for rules that insurers can easily translate into measures that are operational and financially feasible. In the coming period, the Association will assess the RTSs that have now been published for their feasibility for insurers.
Second round of RTSs
In the meantime, the consultation on the second round of RTSs is ongoing. These were published in December and the Association, together with Insurance Europe, will respond by the beginning of March at the latest.
In March, the Association is organising a webinar on the consequences of DORA for insurers. Keep an eye on the website of the Covenant.
Was this article useful?