Insurers Call for Clarity on DORA Implementation
The Digital Operational Resilience Act (DORA) takes effect on January 17, 2025. However, key technical details remain unclear. The German Insurance Association (GDV) is urging for clarity to meet the comprehensive requirements effectively.
From January 17, 2025 financial firms must comply with the new rules of the Digital Operational Resilience Act (DORA) to better safeguard their ICT systems against cyberattacks and operational disruptions. While the insurance industry is prepared to meet the EU’s ambitious cyber-resilience requirements, it is pressing for further guidance.
“German insurers have swiftly adapted their processes to align with the known provisions. However, optimal implementation requires resolving outstanding issues, such as contract design with IT service providers,” said Jörg Asmussen, CEO of the German Insurance Association (GDV).
Outstanding Issues on Third-Party Risk
DORA aims to bolster the digital resilience of financial services and insurance firms against cyber threats by imposing stringent ICT requirements.
A cornerstone of the regulation is third-party risk management. Financial institutions must address internal ICT risks while also accounting for vulnerabilities introduced by external vendors and their subcontractors. “Finalising the pending guidelines on subcontracting for vendor management contracts is critical,” Asmussen emphasised.
Greater Transparency in Oversight of Critical ICT Providers
The GDV also believes the monitoring of critical ICT providers - those deemed essential to the financial sector - could be made more efficient. Previously, financial institutions bore the responsibility for overseeing these providers. Under DORA, European supervisory authorities will gain the power to access information, conduct inspections, and exercise oversight.
“To enhance transparency, it would be prudent to make the results of supervisory monitoring available to the affected financial institutions,” Asmussen suggested.
About DORA
In November 2022, the European Union adopted the Digital Operational Resilience Act (DORA), which will become mandatory for nearly all financial institutions starting January 2025. To ensure resilience against cyberattacks, firms must implement ICT risk management frameworks, develop resilience strategies, document security policies, and maintain contingency plans. Regular audits will verify readiness to address both external cyber threats and internal IT challenges.