The Digital Operational Resilience Act (DORA): what (re)insurers and (re)insurance intermediaries must expect
21/12/2020

In September 2020, the European Commission adopted the Digital Finance Package, including a digital finance strategy and legislative proposals on crypto-assets and digital resilience, for a competitive EU financial sector that gives consumers access to innovative financial products, while ensuring consumer protection and financial stability. 

As part of this Digital Finance Package, the European Commission published its Proposal of Regulation on digital operational resilience for the financial sector, the so-called Digital Operational Resilience Act (Proposal of Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014)).

BACKGROUND

Currently the legal framework for ICT risk and operational resilience is fragmented and is constituted by various legislative acts as well as guidance from the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Market Authority. 

With the Proposal of Digital Operational Resilience Act, the European Commission aims to adopt harmonised legislation regarding digital operational resilience, including identification, mitigation and management of cyber-risk, outsourcing and concentration risk in order to set a common standard across the EU financial system.

The Digital Operational Resilience Act will apply to all financial entities, including credit institutions, payment institutions, (re)insurers and (re)insurance intermediaries as well as ICT third-party service providers.

KEY ELEMENTS

The key elements of the Digital Operational Resilience Act for financial entities are the following:

  • financial institutions must have a sound, comprehensive and well-documented ICT risk management framework to address ICT risk quickly, efficiently and comprehensively. Such framework must include a wide range of strategies, policies, procedures, ICT protocols and tools;
  • financial institutions must manage ICT third-party risks and must have in place contractual arrangements for the use of ICT services to run their business operations;
  • financial institutions must implement an ICT-related incident management process to detect, manage and notify ICT-related incidents and shall put in place early warning indicators; and
  • financial institutions must have the possibility to exchange information on cyber threats and intelligence.
     

NEXT STEPS

The Proposal of Digital Operational Resilience Act is now going through the EU’s ordinary legislative procedure. The final text is expected to come into effect in the first months of 2022 and will transform the provisioning of financial services significantly across the European Union. 

 

Related : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx ,  Ms. LIese Kuyken )

[+ http://www.lydian.be]

Ms. Olivia Santantonio Ms. Olivia Santantonio
Counsel
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
Partner
[email protected]
Ms. LIese Kuyken Ms. LIese Kuyken
Associate
[email protected]

Click here to see the ad(s)

Lastest articles by Ms. Olivia Santantonio

World Anti-Counterfeiting Day: Fighting fake goods remains a priority
08/06/2021

Today is the World Anti-Counterfeiting Day. The day on which we recognize the hard work necessary to stop the manufacture,...

Read more

Data transfer tool – Adoption of new sets of Standard Contractual Clauses
08/06/2021

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European E...

Read more

The E-Privacy Regulation: light at the end of the tunnel?
18/02/2021

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating&nbs...

Read more

Belgian DPA’s Litigation Chamber publishes procedural rules
30/01/2021

As we found out last year, data protection remains on the rise. In the meantime, many data subjects found their way to the...

Read more

Lastest articles by Mr. Bastiaan Bruyndonckx

Data transfer tool – Adoption of new sets of Standard Contractual Clauses
08/06/2021

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European E...

Read more

The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a pro...
03/06/2021

On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of ...

Read more

European Commission publishes proposal for AI regulation
26/04/2021

In recent years, artificial intelligence (AI) has been a popular buzzword and a hot topic that has caught the attention of...

Read more

The E-Privacy Regulation: light at the end of the tunnel?
18/02/2021

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating&nbs...

Read more

Lastest articles by Ms. LIese Kuyken

The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a pro...
03/06/2021

On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of ...

Read more

European Commission publishes proposal for AI regulation
26/04/2021

In recent years, artificial intelligence (AI) has been a popular buzzword and a hot topic that has caught the attention of...

Read more

The Digital Services Act package: proposals published
04/01/2021

Since our last ezine on this topic, a lot has changed. On 15 December 2020 (initially announced for 2 December 2...

Read more

Digital Services Act – A Status Update
04/11/2020

As part of the European Digital Strategy, the European Commission has announced a Digital Services Act package to strength...

Read more

LexGO Network