The transition to a Digital Europe is one of the flagship initiatives of the European Union. The financial services sector is an important pillar of the political ambitions of the Commission. Already in 2020, the European Commission presented its Digital Finance Strategy. One of the first concrete proposals coming out of this strategy is the development of a consistent framework for the digital operational resilience of the EU financial services industry. A proposal for this Digital Operational Resilience Act (DORA) was recently subject to a public consultation.
Ireland is an international hub for (re-)insurance, captives and tech firms. The 5th biggest insurance market in the EU (no. 2 for reinsurance) would not only be subject to the new rules, but it would also provide essential services to the rest of the financial services industry to manage and mitigate their risks.
It is the insurance industry’s key objective to support its customers along the full value chain of insurance and not only with the provision of cover. A sound and sensitive risk management and mitigation starts with the awareness for the risk, the individual preparedness of insurance clients and supporting clients in taking protective measures against potential threats, improving resilience to risks and, finally, providing insurance cover.
Therefore, it was a strategic and logical decision that the insurance industry was actively involved in the discussion on DORA from the beginning. The proposals presented by the European Commission present a very good starting point. However, certain elements will have to be addressed. A key area is the focus of the proposal on other criteria than risk. In the insurance industry and the regulation thereof, it is common that risks are put in the spotlight when developing regulation. That approach should also apply to the digital operational resilience of financial services firms. Equally important will be the consistent application of the proportionality principle. Exempting certain undertakings from the scope does not lead to a proportionate application of the new rules. A truly risk-based and proportionate application of DORA will be necessary. Finally, DORA is a cross-sectoral regulation. Therefore, it will be important that the interlinkage to the existing sectoral regulatory regimes is as seamless as possible. For insurers, the prudential regulatory regime, Solvency II, already defines certain elements which are also subject to DORA (e.g. governance of critical functions). The European Insurance and Occupational Pensions Authority (EIOPA) issued guidelines on ICT risk resilience which are currently implemented by the industry. It will be important that there is no double-standard created.
For more information on these and other aspects, please, see our contribution to the European Commission consultation on DORA attached. In case of any question or need for further information, please, contact email@example.com
 Proposal for a Regulation of the European Parliament and the Council on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) 600/2014 and (EU) 909/2014