The Digital Operational Resilience Act (DORA) is a significant regulatory development aimed at improving the operational resilience of digital financial sector systems in the European Union (EU). DORA was designed to address the growing cyber risks. These regulations went into effect on January 16, 2023. With the Digital Operational Resilience Act (DORA), the EU aims to make the financial sector more resilient with respect to IT disruptions and cyber attacks.
The intention seems to be that DORA should harmonize European and national regulations and potentially make them obsolete. It then enables cross-border financial companies to facilitate international business through comparable regulations and the EU-wide recognition of audits.
The most important requirements:
- DORA will harmonize existing risk management requirements for state-of-the-art technologies across the EU
- In the future, third-party ICT providers will be audited in the same way as banks and insurance companies, which to date have been objects of supervision.
- Hyperscalers will be centrally audited by ESA and national supervisors, and will pay for supervisory activities
- DORA will call for more STEM expertise in management and, by extension, supervisory boards
- Certifiable information security management systems (ISMS) will become European best practice in the financial sector
- Administrative expenses will be increased in the future due to new reporting requirements and approval procedures
- Financial companies declared as critical will prove their digital operational stability on a rotational basis through threat-led penetration testing in accordance with TIBER EU and establish hybrid IT auditing as the standard for manual-automatable audit procedures
- Incident reporting: Insurers are required to report significant ICT-related incidents to the relevant authorities without delay to enable a coordinated response and analysis of potential systemic risks.
DORA creates an EU legal framework "regarding the operational stability of financial sector digital systems." Essentially, DORA summarizes existing regulations regarding security measures, reporting, and the audit of outsourcing, but expands and intensifies them in selected areas. Third-party ICT providers will be included, which will provide the so-called decisive supervisory authority with the necessary means to enforce standards in financial market stability through the option of appeals, such as penalty payments. As a comprehensive set of rules for information security, DORA will have a comparable impact in the three dimensions of organization, regulation and IT in financial companies as that that the GDPR has had in the protection of personal data since it came into force in 2018. While the GDPR applies to the entire economy and administration, but only addresses the protection of personal data, DORA will apply to all financial companies and ICT third-party providers. This includes administrative entities, but DORA aims to protect all information, including personal data.
In addition to the DORA Regulation and the associated Directive, the DORA framework at the EU level includes the Delegated Acts as well as the Guidelines, Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to be prepared by the relevant EU supervisory authorities. However, many countries that are members of the European Economic Area, including Germany, interpret these requirements nationally.
DORA subsumes requirements for security in the financial sector, expands the circle of objects of supervision and imposes new and higher requirements in individual security areas.
DORA's contents
While the three chapters "ICT Risk Management Requirements," "ICT Incident Reporting," and "Digital Operational Stability Audit" address financial companies, the article block "Audit of Risk by ICT Third-Party Providers" also regulates technology providers. Service providers like adesso have to deal in particular with extended contractual requirements that DORA specifies for contractual outsourcing agreements between insurance companies and ICT third-party service providers.
In addition, third-party ICT service providers must also be included in the future when performing threat-led penetration testing.
DORA: current legislative status and timetable
The following figure provides an overview of the development of the DORA regulation over time, until it starts being applied on January 17, 2025.
DORA: Implementation for insurance companies and ICT third-party service providers
DORA contains many requirements that are largely congruent with provisions from existing regulations, such as MaRisk/BAIT (Supervisory Requirements for IT in Financial Institutions), MaGo (Minimum Requirements for the Business Organization of Insurance Companies)/VAIT (Supervisory Requirements for IT in Insurance Undertakings)), KAMaRisk (Minimum Requirements for Risk Management of Capital Management Companies)/KAIT (Supervisory Requirements for IT in German Asset Managers), ZAIT (Supervisory Requirements for IT at Payment Services Providers), EBA Guidelines on Outsourcing Arrangements and EBA Guidelines on ICT and Security Risk Management. However, DORA also contains some deviations or itemizations and additions in comparison with these regulations. Overall, the expanded requirements are leading to comprehensive implementation efforts in the financial sector.
The individual extent depends on the size and the risks from the business model and the respective insurance company's digital operational resilience maturity.
Insurance companies should therefore use the remaining time until the DORA regulation is applied and at an early stage address the implementation of the DORA requirements and their own currently existing digital operational resilience within the scope of a GAP analysis.
In addition, we recommend orienting toward the current VAIT requirements. The results of the current VAIT audit practice and the current initiatives of the EBA/ECB provide additional guidance. In this context, it is urgently recommended that VAIT be directly and effectively anchored and implemented in the company.
Regarding the required penetration testing, we recommend current practices with respect to business continuity planning emergency exercises. In this context, a review of data protection and data security also becomes necessary.
It is also important to note that, according to Recital 16, the DORA Regulation embodies a lex specialis to Directive (EU) 2022/2555 (NIS2 Directive) as DORA also increases harmonization in the EU with respect to the various components of digital resilience by introducing requirements for ICT risk management and ICT incident reporting that are more stringent than those rules that previously applied in financial services law.
Conclusion:
As of January 2025, DORA will be mandatory in all EU member states. Insurance companies should proactively prepare for the implementation of DORA:
- Perform gap analysis: Assess the current situation in terms of governance, risk management and compliance with existing guidelines and standards.
- Create roadmap: Identify priorities and efforts needed to meet DORA requirements.
- Governance and practice alignment: Ensure that governance and operational practices are consistent with the pillars of resilience outlined in DORA.
- Regulatory monitoring: Update new Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that may be established by regulators during the implementation period.
We'd be happy to discuss in greater detail how state-of-the-art insurance software can help make innovative insurance a reality and satisfy the regulatory requirements. Our expert, Karsten Schmitt, Head of Business Development, looks forward to hearing from you.
