Why is DORA being implemented?

The Digital Operational Resilience Act (DORA), with the regulation (EU) 2022/2554,¹ was developed by the European Union (EU) in response to the challenges of digitisation and the threats of cyberattacks and interruptions, aiming to strengthen the operational resilience of the financial sector across the EU.

Threats of cyberattacks and cyber-related issues have increased in recent years. According to the 2023 report of the German Federal Bureau of Information Security (BSI) on the state of IT security in Germany, the threat situation is classified as “tense to critical” and has intensified over recent years. Furthermore, the amount of insurance firms acquire to protect against cyber risks is increasing, which is also a sign of the increasing prevalence of this topic. According to a survey from the Federal Financial Supervisory Authority from 2023, the premium volume in 2022 for standalone direct business was approximately €700 million and for reinsured business about €1.57 billion. Compared to 2020, the premium volume has more than doubled for both business lines. The actual amount of cyber-related insurance might be higher, because general liability insurance policies often cover IT-related claims as part of the general insurance cover.

Financial companies are at the forefront of this change, where they often seek to push forward their digitisation to be competitive in changing market needs. Utilising cutting-edge market technologies means they are unable to avoid being vulnerable and exposed to this threat. There is no alternative, however, as the use of out-of-date technology probably results in even higher vulnerability. High interdependencies within the finance industry might lead to systemic risks, which DORA is intended to counter.

In this article, we lay out some of the key requirements of DORA as it relates to the current regulatory requirements in Germany and summarise some of the implementation challenges German life insurers may face.

Background and objectives of DORA

DORA was introduced on 24 September 2020, as part of the European Commission's broader “Digital Finance Package”, and it will apply from 17 January 2025.

The purpose of this legislation is to strengthen the digital operational resilience of all entities in the financial sector, i.e., banks and credit institutions, insurance companies, payment service providers and other firms within the financial industry.

DORA harmonises the regulatory framework for these different entities, generating alignment where there previously had not been, e.g., in Germany Versicherungsaufsichtliche Anforderungen an die IT (VAIT)² for insurance companies and Bankenaufsichtliche Anforderungen an die IT (BAIT)³ for banks.

Notably, information and communication technology (ICT) third-party providers are in the scope of the regulation, which plays a key role in the DORA framework.

After the first release package in January 2024, the second wave of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) followed in July 2024, published by the three European Supervisory Authorities (ESAs)—the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Market Authority (ESMA).

Additionally, the German Federal Financial Supervisory Authority (BaFin) published non-compulsory guidance for companies for implementing the requirements of DORA, where certain aspects of DORA are compared with VAIT.

Next, we highlight major aspects of these documents following the structure of the DORA key requirements.

Key requirements of DORA

DORA sets out clear requirements in several key areas to ensure digital operational resilience. In this context, the BaFin refers to six key requirements,⁴ due to the explicit distinction between the management of ICT third-party provider risk and the monitoring framework for critical third-party providers.

ICT risk management

In this context DORA aims at implementing a proper internal governance and control framework in order to manage the inherent ICT risks. The management body of a firm has a decisive role to play here. In both VAIT and DORA the management body is responsible for the implementation of all arrangements related to the ICT risk management framework. However, the list of tasks and responsibilities is broader in DORA and therefore emphasises and strengthens the role of the management in organisation and governance of the risk management framework. Beside the obligatory sufficient qualification of the management body in terms of knowledge and skills regarding managing ICT risks, the management body is in many cases responsible for defining, approving, monitoring and implementing all arrangements relating to the ICT risk management framework.

Where VAIT focusses on information security aspects, DORA indicates a shift to ICT risk management as the basis for maintaining digital operational resilience by establishing measures of information security. This becomes clear in introducing a new ICT risk control function under DORA, which can naturally be assigned to already existing risk and compliance functions, for example to the information security officer under VAIT, which corresponds best to the new ICT risk control function.

The ICT risk control function is responsible for managing and overseeing ICT risks and might be located in the risk and compliance department, apart from the IT department to ensure an appropriate level of independence.

Particular aspects of the ICT risk management framework in this context are defining, establishing and implementing an ICT-related incident management process to detect, manage and notify ICT-related incidents. This includes developing policies, e.g., information security risk policy, implementation of mechanisms to promptly detect anomalous activities and defining and implementing restoration and recovery procedures as well as incidence reporting and communication routines.

Incident management

DORA requires companies to establish an effective incident management system that ensures monitoring, logging and reporting of incidents if applicable. An ICT-related incident of a company is in this context defined as an unplanned event, which has a negative impact on the security of the network and IT systems, with effects on availability, authenticity, integrity, confidentiality or the services provided by the company.

Incidents have to be classified following specified criteria, e.g., number of affected clients, duration etc., which are further detailed in the RTS and supplemented by thresholds regarding the classification of “major” incidents. Major incidents must be reported to the supervising authority.

Testing of digital operational resilience including Threat-led Penetration Testing (TLPT)

Similar to ICT risk management and reporting, digital operational resilience testing is a crucial part of the company's overall ICT risk management framework. Financial entities are required to conduct testing on their ICT systems once a year to assess the effectiveness of their digital operational resilience. These assessments should encompass suitable tests, including gap analyses and vulnerability assessments. Larger firms are also required to conduct Threat-Led Penetration Testing (TLPT) every three years. The extent of testing is a field where proportionality based on the risk profile plays a key role.

Management of ICT third-party provider risk

A key aspect that DORA addresses is the risk arising by using ICT third-party providers. DORA requires an assessment and monitoring of this third-party risk over the whole lifetime of the service agreement. This implies the need for a risk analysis and due diligence must be conducted before closing the contract. The financial company has to identify the dependency, risks and costs of the service provider. The contracts should therefore stipulate support of the provider in case of incidents, and an exit plan regarding crucial functions must exist. The implementation guidance from BaFin contains a comprehensive list of minimum contract requirements with the relevant DORA reference.

All service contracts of the company shall be collected in an information register. On this basis the supervising authority is able to identify the critical ICT service providers.

Monitoring framework for critical third-party provider

DORA implements a new monitoring framework for identifying critical ICT third-party providers. The classification is based on the systemic impact on the stability, continuity and quality of financial service providers in case of interruption of the services.

The leading supervising authority has several competencies managing incidents regarding third-party providers, such as information, control and supervisory audit rights. In the case of noticeable problems, the supervising authority can make recommendations to the third-party provider, or to vacate the contract with the service provider.

Exchanges of information on cyber risks and critical incidents

Further exchanges of information on cyber threats among financial companies on a voluntary basis is encouraged. Companies should inform the supervising authority about participating in information-sharing commitments.

Challenges and recommendations for business

Although the purpose and the key requirements of DORA are reasonable, the regulations in the Delegated Act and the RTS/ITS are complex. Financial companies should therefore plan early to ensure that they have sufficient resources to deal with DORA and its implications.

Because the VAIT already entered into force, with the last update on 3 March 2022, the non-compulsory implementation guidance of BaFin is a good starting point, as it approaches DORA by comparing it to VAIT. Main differences include the significant expansion of the competencies of the management body of a firm and the focus on ICT incident management and business continuity management, as well as the extension of the contract conditions of third-party providers.

Financial companies should perform comprehensive initial assessments of their governance, IT systems and related risks resulting in a gap analysis. This list should be prioritised and converted to an implementation plan.

Challenges might include adopting the requirements regarding governance and organisation, leading to new responsibilities, functions and processes. Depending on the efforts of the company so far, it might be necessary to update IT systems and establish procedures to keep them up to date. The assessment and update of the IT systems leads to a revision of the third-party service provider and the related contracts.

Potential risks and implications for German life insurers

Establishing proper ICT risk management involves an assessment of all ICT systems and related ICT third-party providers. The crucial part is to identify the need for protection of the underlying data in terms of availability, authenticity, integrity and confidentiality. In case of interruptions, plans on restoration and recovery have to be followed. Regarding the development and implementation of ICT systems, a proper ICT project and change management has to be applied, according to the RTS on specifying ICT risk management tools, methods, processes, policies and the simplified ICT risk management framework.⁵

All activities above have to follow policies and guidelines aligned with DORA requirements approved by the management body of the company.

In the following, some key activities of life insurers are highlighted, which are affected by application of the mentioned DORA procedures.

Life insurers have huge portfolios with sensitive personal, health and biometric data and payment and finance information. Insurers have to ensure that these data are protected in their IT systems and processes.

Complex migration projects must be carefully examined to fulfil DORA requirements. Inherent risks include for example lack of data quality, failures in the valuation and transfer. To ensure business continuity of related processes, a sophisticated plan for backup, restorage and recovery based on approved policies and derived instructions is essential.

Valuation models for steering and reporting either standard solutions like the “Branchensimulationsmodell” (BSM), or internal models, are embedded in complex processes where different departments and users are involved. An assessment of the processes must be carried out regarding data and assumptions input, use of correct model version, validation of results and further processing. The key protection aspects in term of availability, authenticity, integrity and confidentiality have to be considered here.

A recurring question is the handling of applications developed by the companies themselves, known as “end-user computing (EUC)”. An EUC is not necessarily linked to a specific development framework, e.g., Excel, Python etc., but depends on its role in the underlying process.

Therefore, the starting point of ICT risk assessment is always to analyse the sensitivity of the application in the process and its need for protection, again based on availability, authenticity, integrity and confidentiality.

Conclusion and outlook

DORA aims at strengthening the digital operational resilience of the financial sector across the EU. While the VAIT regulatory requirements for insurance companies in Germany already address IT risk management issues, DORA goes beyond these requirements in terms of more detailed requirements, but also introduces completely new aspects, like ICT incident management and reporting, third-party service provider assessment register and voluntary cyber security sharing

German insurance companies might have a good starting position by implementing the VAIT requirements, but still have to provide resources to deal with DORA and its implementation, which is challenging beside existing extensive regulatory requirements, lack of skilled labour and economic pressure. However, DORA allows for proportionality to fit the requirements according to the company’s risk profile.

Sources:

• REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – European Parliament, 2022
• Rundschreiben 10/2018 (VA) in der Fassung vom 03.03.2022: Versicherungsaufsichtliche Anforderungen an die IT (VAIT), BaFin, 2022
• BaFin - DORA, BaFin, 2024
• Die Lage der IT-Sicherheit in Deutschland 2023, BSI, 2023
• BaFin - Fachartikel - Cyberversicherungen: hohe Nachfrage – und hohe Risiken?, BaFin, 2024
• Aufsichtsmitteilung - Hinweise zur Umsetzung von DORA im IKT-Risikomanagement und IKT-Drittparteienrisikomanagement, BaFin, 2024

¹ The full text of the regulation is available at https://eur-lex.europa.eu/eli/reg/2022/2554/oj.

² BaFin (14 October 2022). Supervisory Requirements for IT in Insurance Undertakings. Retrieved 30 September 2024 from https://www.bafin.de/ref/19595002.

³ BaFin (3 December 2021). Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions. Retrieved 30 September 2024 from https://www.bafin.de/ref/19599002.

⁴ DORA – Digital Operational Resilience Act. Retrieved 30 September 2024 from https://www.bafin.de/ref/19669324.

⁵ EU. Document 32024R1774: Commission Delegated Regulation (EU) 2024/1774. EUR-Lex. Retrieved 30 September 2024 from https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj.