Insurance Europe

Insurance Europe has responded to the European Supervisory Authorities (ESAs)’ consultations on the Digital Operational Resilience Act (DORA) level 2 second batch of policy measures. These measures included draft Regulatory Technical Standards (RTS), draft Implementing Technical Standards (ITS) and draft guidelines (GL) to complement the DORA legislation, which will enter into force on 17 January 2025. DORA aims at strengthening the IT security of financial entities to improve resilience against operational disruption.

More specifically, Insurance Europe has responded to the following six consultations:

• Draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1) points (a), (b) and (d) of Regulation (EU) 2022/2554;
• Draft joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Article 32(7) of Regulation (EU) 2022/2554;
  
• Draft RTS to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554;
  
• Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents;
  
• Draft RTS on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and draft ITS on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat;
  
• Draft RTS on specifying elements related to threat led penetration tests (TLPT).
  

Through the response, Insurance Europe calls for clarification on specific points to promote legal clarity on the text, promote feasibility of implementation and proportionality of the measures. Noting the relationship between the measures and the level 1 text, the response highlights areas where the measures should be amended to ensure that the insurance industry can appropriately implement the provisions and guard against an excessively burdensome regulatory framework.