The Digital Operational Resilience Act (DORA), adopted by the EU in December 2022, establishes a standardized cybersecurity framework for the financial sector, including insurers. It replaces the uneven application of the previous NIS1 directive, ensuring consistent cybersecurity requirements across all European insurers.
Following DORA’s adoption, the European Supervisory Authorities (ESAs) developed “level 2 measures,” including Regulatory and Implementing Technical Standards, to facilitate its implementation. The insurance sector has worked since 2023 to align with these requirements, which cover risk management, ICT service provider oversight, and cybersecurity testing.
Despite industry contributions to the regulatory process, full compliance by the January 2025 deadline remains a challenge, particularly due to the late finalization of key measures. Insurers continue to seek legal clarity on specific provisions and urge regulators to expedite the adoption of outstanding standards to ensure a smooth transition to the new framework.
Insurance Europe, the European Federation of Insurance Associations, has rewcently published on its own website an opinion article signed by Florence Lustman, President, France Assureurs on the topic: Strengthening the industry’s cyber resilience: Insights into the implementation of the Digital Operational Resilience Act
“Compliance with DORA by January 2025 represented a challenge for financial entities, which was exacerbated by the fact that many of the level 2 measures were only finalized late in the process, including the final text of the standard on the register of information – crucial to a company managing and recording their ICT third party risks - finalized at the end of December 2024. Two standards, on subcontracting and threat-led penetration, remain to be published at this time, which complicates the implementation for companies.
The industry also continues to seek legal clarity over certain aspects of the measures, to ensure that companies can have the answers they need to comply with the various standards and legislation. To further support companies, the industry urges the ESAs and the European Commission to swiftly adopt the remaining measures and provide the necessary clarity and responses to the questions raised so that all companies can swiftly adhere to the required high level of cybersecurity across the Union.” This is the conclusion reached by the author of the article. To see the arguments that led to this conclusion, read the full article on the Insurance Europe website.
Implementation of DORA – under the pressure of a challenging deadline
30 January 2025 — Daniela GHETU

115 views