DORA Level 2 consultation: Insurance Europe underscores need for proportionality and a risk-based approach


Insurance Europe has responded to four European Supervisory Authorities (ESAs)’ consultations on Level 2 measures to implement the Digital Operational Resilience Act (DORA). Having entered into force in January 2023 with financial entities expected to be compliant by 17 January 2025, DORA sets regulatory requirements that the EU hopes will support the financial sector in being more resilient to cyber threats. More specifically, Insurance Europe responded to the following consultations:

1. Consultation paper on draft Regulatory Technical Standards (RTS) on ICT risk management framework and RTS on simplified ICT risk management framework

2. Consultation paper on RTS on criteria for the classification of ICT-related incidents

3. Consultation paper on RTS to specify the policy on ICT services performed by ICT third-party providers

4. Consultation paper on Implementing Technical Standards (ITS) to establish the templates for the register of information

While appreciating the work undertaken by the ESAs in preparing the draft measures within the designated short timeframe, in its response the insurance and reinsurance industry calls for clarification on various points, concepts, proposed approaches, as well as on the relations between some of the draft measures and the Level 1 text.

The industry also makes a range of concrete suggestions for further improvements to ensure that the final measures are sufficiently risk-based and proportionate. In order to guarantee digital operational resilience, the industry notes that it will be key to end up with a set of measures that are manageable in practice, from an operational and financial perspective, and that can be adequately tailored to any company’s specific size and risk-profile. Relying on merely one article in this respect does not suffice: the principle should be enshrined throughout the Level 2 measures.