
On 17 January 2025, the implementation of the DORA Regulation, an EU legislative instrument designed to address the risks and vulnerabilities that the financial system may face as dependence on ICT operators grows, began.
At Belzuz Abogados, as lawyers specialising in Insurance Law, we have to echo the beginning of the application of the Operational Resilience Regulation (‘DORA’) from 17 January.
In this sense, DORA came into force on 16 January 2023, the European Union having granted an adaptation period of 2 years after which it begins to apply to the entire financial sector of the European Union.
The DORA, which amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, aims to strengthen the IT security of financial institutions, especially banks, insurance companies and investment services firms, ensuring that the European financial sector can be resilient to severe operational disruptions so that, in an era of digitisation of services, European financial institutions are protected not only from cyber attacks but also from service failures, improving user confidence.
The aim is to minimise the vulnerability of this critical sector, given the increasing dependence of financial institutions on technology. It should not be forgotten that poor management of ICT-related risks can cause serious service disruptions in financial institutions that can be devastating for other businesses or sectors, as reported by the European Systemic Risk Board in 2020.
The DORA regulates, in addition to the management of ICT-related risk, the management of ICT-related third party risk, the development of digital operational resilience testing, ICT-related incident reporting, information sharing and the oversight of critical third party providers.
The DORA also harmonises all existing regulation relating to the operational resilience of financial institutions and providers by eliminating legislative disparities and uneven regulatory approaches to ICT-related risk.
Ultimately this provision has taken the form of a Regulation because, as stated in Recital 14 of the DORA, this form of legislation ‘contributes to reducing regulatory complexity, promotes supervisory convergence and increases legal certainty and, in addition, helps to limit compliance costs, especially for financial institutions operating on a cross-border basis, and to reduce distortions of competition’.
This process has been quite complex and far from straightforward, indeed, EIOPA withdrew two guidelines and announced the amendment of an opinion to ‘eliminate overlaps and promote a unified regulatory framework for digital operational resilience in the European insurance and occupational pension fund sectors’.
It should not be forgotten that this Regulation applies to all operators in the financial system, each with its own particularities.
It is worth highlighting the efforts made by ADECOSE and BIPAR to push forward an amendment proposal submitted to the European Parliament in June 2021 to exclude from the application of the DORA those micro, small and medium-sized insurance mediation companies that do not rely exclusively on automated sales systems on the grounds that insurance mediation entities could not meet the same administrative and operational requirements as insurance companies.
Thus, in November 2021 the Committee on Economic and Monetary Affairs of the European Parliament excluded insurance intermediary institutions with fewer than 250 employees from the DORA, thus avoiding up to 120 administrative requirements for intermediaries, according to the General Council, and this exemption from the obligation is set out in Recital 43 of the DORA.
With regard to insurance companies, according to an ICEA survey published in September 2024, only 1.2% of Spanish insurance companies claimed to be fully adapted to the DORA and 50% estimated that their adaptation was between 50% and 75% complete.
The difficulties most highlighted by insurance companies have been the limited timeframe, the lack of qualified staff and the lack of training or specialisation, with insurers having to increase their budgets, make organisational changes, create new figures and hire new professional profiles.
Likewise, the regulator has also had to face the entry into force of DORA, for which, for example, the DGSFP has had to create a new division of technological supervision and digital innovation, having to undergo a security audit by the National Security Scheme, also providing a platform for insurers to report cyber incidents and to facilitate voluntary tests of DORA readiness.
Similarly, in order to facilitate adaptation and understanding by the different market operators, the DGSFP has compiled all the information relating to the DORA on its website, allowing interested parties to access the text of the DORA itself, the different EIOPA publications, rules developed by this regulation, procedures and protocols for notification of cyber incidents or cyber threats of a certain entity, as well as procedures for consultation in case of doubts about the Regulation and its application.
CONCLUSION: As a final reflection, we would like to point out that, as the financial sector becomes more and more dependent on ICTs, its vulnerability to cyber attacks or service failures will increase, which can have devastating effects on the economy, diminishing and affecting confidence in the financial sector, not only of users, but also of market operators.
This is why we believe that the regulatory framework must, consequently, adapt to these new realities, thus helping to take advantage of the enormous benefits of ICTs for the financial system while minimising their risks.
From the Insurance Law Department of Belzuz Abogados, we are at your disposal to analyse your problem in terms of civil liability and insurance in the most professional, efficient and solvent manner.
Mikel Reyna
Belzuz Abogados
Insuralex´s Exclusive Member in Spain and Portugal