Readiness for DORA

The Digital Operational Resilience Act (DORA) will apply with direct effect in all Member States from 17 January 2025. DORA introduces new standards for relevant financial entities as regards the management of cyber security risk and information and communication technology (ICT) risk.

The article highlights key elements for (re)insurers and intermediaries, as well as detail on categories of firm that may be exempt from DORA.

Background to DORA

DORA is a cross-sectoral European regulation which consolidates and upgrades existing provisions that previously operated only on a more localised basis. This includes application to (re)insurers and intermediaries. In scope areas include digital operational risk, outsourcing, operational resilience, recovery planning, IT and cybersecurity risk. These will now be within a single piece of legislation. The regime will sit alongside (and in the event of conflict take precedence over) other prescriptions such as the Central Bank’s Cross Industry Guidance on Outsourcing, Guidance on Operational Resilience and Guidance on IT & Cyber Security Risks.

DORA requires in-scope regulated firms, such as those in the (re)insurance sector, to apply ICT risk management standards and ICT risk management frameworks consistently. It is recognised that regulated firms across Europe must have a better understanding and control over the cyber and ICT risks specific to their businesses. A key objective of DORA is that each regulated firm, such as those in the (re)insurance area, can better understand and be prepared for ICT and cyber security threats.

DORA also dictates minimum requirements for contractual arrangements with ICT third-party service providers, such as cloud providers, addressing the perceived imbalance in bargaining power. Up until now, this imbalance has sometimes made it difficult for (re)insurers and intermediaries in negotiations with counterparties around operational risk areas. DORA gives a mandate to EU supervisory authorities to regulate Big Tech, where categorised as ‘critical ICT third party service providers’. This should help address what are seen as concentration risks within the financial services industry in providers such as AWS, Azure and Google Cloud.

Scope for (re)insurance industry

The base position under DORA is that it applies to all ‘financial entities’ (otherwise known as ‘regulated firms’) as well as applying to ICT third-party service providers. DORA prescribes 23 different types of regulated firm that are in scope. It includes, as the default position, all Solvency II insurance and reinsurance undertakings as well as Insurance Distribution Directive insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries. While not the focus of this article, it should be borne in mind that the ‘financial institution’ definition, depending on member numbers, includes occupational pension schemes thus extending further the new IORP II regime requirements.

Although broad application is the basic position (and most Solvency II (re)insurers given turnover, balance sheet size and headcount levels will likely be in scope) DORA does allow certain carve-outs. These carve-outs, subject to threshold tests, disapply the requirements for ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’. This may be particularly relevant for smaller (re)insurance intermediaries or (re)insurers in run-off. The tests are as follows:

• ‘microenterprises’, fewer than 10 employees and annual turnover and/or annual balance sheet totals not exceeding €2m
• ‘small enterprises’, at least 10 employees but fewer than 50 with annual turnover and/or annual balance sheet totals over €2m but not exceeding €10m
• ‘medium-sized enterprise’, firms that are not ‘small enterprises’, employing fewer than 250 persons and with an annual turnover not exceeding €50m and/or an annual balance sheet totals not exceeding €43m

General principles

DORA specifies that financial entities, such as (re)insurers and intermediaries, will need to manage their ICT third-party risk in accordance with the following principles:

• have contractual arrangements for the use of ICT services which are fully compliant with applicable financial services law, including DORA; and
• the management of ICT third-party risk must follow the principle of proportionality. It should consider the nature, scale, complexity and importance of the relevant ICT dependencies and the associated risks arising from the contractual arrangements.

DORA sets out requirements relating to governance structures, systems and controls. The management of a (re)insurer or intermediary firm will have to define, approve, oversee and be accountable for the firm’s ICT risk management framework. This will include as follows:

• ICT risk management framework: The ICT risk management framework must be sound, comprehensive and well-documented.
• ICT security: ICT security must be monitored and reviewed. Firms must identify ICT-related issues and employ mechanisms to detect potential ICT threats or problems.
• ICT incident management, classification and reporting: DORA promotes a consistent and integrated process to detect, manage and notify ICT-related incidents. Standardised reporting templates must be used, and relevant incidents must be reported to the competent authority within prescribed timeframes. Contact with service users or customers may be necessary, depending on the circumstances.
• Testing: DORA requires comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices and processes. Independent parties must conduct testing of financial entity ICT. Critical ICT systems and applications should be tested by in-scope firms at least every 12 months. Some financial entities will be required to complete threat-led penetration testing no less than every three years.
• Sharing information: DORA will oblige financial entities to share cyber-threat-related information and intelligence.
• ICT third-party risk management: ICT third-party risk is a key part of the ICT risk management framework. Under DORA, ICT third-party service providers designated as ‘critical’ will be subject to oversight by a European Supervisory Authority (EBA, ESMA and/or EIOPA). Third-country critical ICT third-party providers must establish an EU subsidiary within 12 months of a ‘critical’ designation to continue providing services within the EU. Contractual arrangements with ICT third parties will be important in this context.

Uplifts to processes and contractual agreements

(Re)insurers and more sophisticated intermediaries usually have heavy reliance on inter-group and third-party service providers around ICT and related infrastructure. Where it applies, the themes under DORA’s key pillars will be familiar to (re)insurance firms. They are already, for example, subject to the Central Bank of Ireland’s Cross Industry Guidance on Outsourcing, Operational Resilience and IT & Cyber Security Risks.

For Solvency II firms in particular, a gap analysis relative to the DORA requirements will be needed to assess what governance, systems and process ‘uplifts’ are required. A similar gap analysis will be needed for a firm’s suite of contractual documents and the management and control systems used for the related arrangements.

DORA requires contracts with ICT third-party providers to include mandatory provisions. It distinguishes between contracts for services or a function classified as a ‘critical or important function’ (CIFA) or non-CIFAs. A stricter approach, and a more extensive set of clauses, is required for CIFA contracts.

Meaning of ‘critical or important function’

It is worth noting that the definition of CIFA under DORA is different to the definition of a ‘CIFA’ which Irish regulated firms will be familiar with under the Solvency II regime and the Central Bank’s Cross Industry Guidance on Outsourcing. It is cautioned that familiarity under one regime should not therefore be mistaken for equivalence or understanding under the other.

Under DORA, the term ‘critical or important function’ embeds a materiality threshold and is expressed in terms of functions or services which, if subject to disruption, would materially impair the financial performance of the firm or its service continuation or materially impair its ongoing compliance with its conditions of authorisation or financial services law more generally.

In contrast, the definition of ‘CIFA’ under the Central Bank’s Cross Industry Guidance on Outsourcing does not incorporate a materiality threshold and is expressed in terms of operational continuity of core business lines or critical business functions only. The definition of ‘CIFA’ under DORA is also wider than, for example, the same term under Solvency II, which although not specifically defined, is generally understood to mean the four key functions of a firm’s system of governance as well as services or functions that are essential to the operation of the undertaking such that the undertaking would be unable to deliver its services to policyholders without it.

(Re)insurers will need to communicate and clarify the distinction in potential categorisations under DORA versus the other requirements to those involved in the oversight and classification of contracts as CIFAs. This will need to be assessed as part of a firm’s DORA gap analysis exercise.

If you have any questions about DORA as regards insurance businesses, please contact Eoin Caulfield, Marguerite Sinnott, or any member of the Insurance team.