Financial services and technology are becoming increasingly intertwined. Financial services firms (including (re)insurers) are becoming more and more reliant on and exposed to digitalisation through information and communication technology (ICT).
Accordingly, the European Commission (the Commission) is considering a multi sectoral European Union (EU) wide approach through a proposed directly effective EU regulation, the Digital Operational Resilience Act (DORA). DORA will be a key part of the Commission's wider new digital finance package (DFP).
The DFP measures aim to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks and increasing regulatory harmonisation throughout the EU. This is in line with the Commission's priorities to transform the EU into a digitally advanced economy for businesses and consumers.
The Commission has noted that the EUs current legal framework for ICT risk and operational resilience across the financial services sector is fragmented and not fully consistent. This fragmented legal framework is layered with divergent guidance from the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Market Authority. This has resulted in a range of different approaches being applied to the different constituent parts of the EU's financial services sector.
DORA will apply to a very broad range of financial services entities in the EU, including (re)insurers and (re)insurance intermediaries. The obligations imposed by DORA on regulated firms will be in addition to their current ICT risk requirements. Currently, (re)insurers must comply with specific requirements in relation to external service providers and ICT risk management requirements.
The obligations DORA will impose on regulated firms include the following:
- ICT risk management.
- ICT-related incident reporting.
- Digital operational resilience testing.
- Monitoring ICT third-party risk.
- Information sharing.
- An oversight framework of ICT third-party service providers.
What are the next steps?
The adoption of DORA will introduce a much-needed consolidated approach to ICT risk management in the EU's financial services sector. DORA will contribute significantly to the transformation of the provision of financial services across the EU.
The proposal is currently progressing through the EU’s ordinary legislative procedure. The European Parliament and the European Council have commenced their individual procedures to progress the proposal. It Is likely that the co-legislators may introduce additional amendments, so the final version of the legislation may differ from the draft proposed by the Commission. It is anticipated that the legislative review of DORA could take up to 24 months to complete.