Insurance Europe considers that the European Commission's proposal for a Digital Operational Resilience Act (DORA) for the financial sector is an important step considering the efforts to boost the cyber resilience of all sectors of the economy, including insurance.

European insurers believe it is vital to put in place a risk-based cybersecurity framework established on key common principles, unified in one single piece of legislation, but considering that the financial sector is very diverse it is important to avoid a one-size-fits-all approach.

In its current form, the DORA proposal is too prescriptive, especially in terms of the requirements around information and communication technology (ICT) risk management. Instead, insurers are calling for a set of rules that can be tailored to individual risk profiles, as different types of entities are exposed to different types of risks and therefore require different types of protection. Furthermore, different financial sector entities have their own unique impact on the operational resilience, performance and stability of the EU financial system and this must also be accounted for.

In the area of ICT third party risk, Insurance Europe strongly supports the proposed monitoring framework for critical ICT service providers and calls for the framework to be accompanied by corresponding regulatory relief for users of these services.

Finally, the envisaged 12-month implementation period is not long enough and should be extended to 36 months.

Source: Insurance Europe