Financial health is key to a region’s well-being, but the increasingly digitalized insurance industry is more and more vulnerable to technological risks. To help companies protect themselves, Europe has established specific regulations for information and communication technology (ICT) environments.
DORA (Digital Operational Resilience Act) represents, more than a regulation, a harmonization of existing regulations in terms of operating resilience for the finance sector, specifically against risks related to ICT. It came into force in 2023 and began to be applied in January 2025, mandatory both for European financial institutions and their ICT service providers.
The framework laid out in the Official State Bulletin that published the regulation in 2022 in Spain noted that the use of these technologies “has transformed the insurance industry, from the appearance of intermediaries offering their services online and carrying out their activity with technology applied to the sector (insurtech) to digital underwriting”, creating a context that “has deepened interconnections and dependencies both within the financial sector and in relation to third-party infrastructure and service providers.”
Risks associated with ICT
In this digital age, technology facilitates countless daily tasks that keep the economy going. Its efficiency and agility are supported by complex systems, which are integrated into companies and outsourced to specialist providers. In this scenario, certain risks may cause interruptions in financial services, if they aren’t properly managed, thereby impacting not only a company’s own activity, but also the global economy.
In one of its latest reports, the European Systemic Risk Board (ESRB) highlighted the significant level of risk arising from the interconnection of the more than 22,000 financial institutions located in the region. Within a European context cyber threats have risen in recent years, and take many forms, from the sabotage of submarine cables (a critical Telco infrastructure element) to the theft and manipulation of data. It should also be noted that cyberattacks are also growing in terms of their sophistication, to the extent that even companies with a well-established cybersecurity plan are not immune to these dangers. The ESRB advocates for these issues to be addressed through coordinated best practices at national and community level, taking in all phases of a crisis: preparation, response and recovery. DORA would be the common contingency framework that, protecting each company, would preserve the security of the sector. According to the Official Journal of the European Union, “achieving a high level of digital operational resilience in regulated financial institutions requires the harmonization of some different rules of Union and national law. “
What is the financial sector obliged to do?
With the implementation of DORA, financial institutions must meet a series of requirements that focus on several key aspects. A robust and efficient cybersecurity strategy can be structured around complying with these lines of protection, detection, containment, recovery and repair. The four pillars of the regulation are:
Strong and effective ICT risk management: Financial institutions must establish comprehensive dynamics that guarantee the detection and management of cyber risks, identifying and classifying all critical assets in its technological architecture and continuously assessing potential threats. The company’s management will be responsible for defining this strategy and could also be personally liable in the case of noncompliance.
Notification of incidents: Risk management structures must be complemented by channels that manage, record and classify any incident involving an ICT, and companies are obliged to report and explain serious or significant events to the competent authorities, as well as affected clients and partners. This communication must include the provision of initial, intermediate and final reports. This coordination will facilitate cooperation between those affected and the execution of a quicker and more effective response.
Operational resilience and business continuity tests. In addition to incident prevention and detection systems, financial institutions must regularly test their technology systems in order to assess their strength and detect potential vulnerabilities. These tests will be conducted both in general – analyzing the weaknesses of the whole system – and specifically – exposing the company to known or common threats in the sector – and will be conducted by external and independent companies at least once a year.
Involvement in third-party risk management. One of the key aspects of DORA is coordination between organizations, both financial and collaborating. European regulations require companies to maintain detailed records of all providers offering them ICT services, and their level of dependence on them. A common cybersecurity effort to detect attacks and mitigate their impact is also recommended.
What are the positive impacts of the regulations?
Spanish financial institutions – banks, insurers and other sector institutions – have been preparing for years to meet DORA’s requirements, which has resulted in:
– Greater investment in technology and cybersecurity, directed at training and hiring experts in the field, as well as technology infrastructure itself.
– Greater cross-sector coordination. Facing common challenges has favored communication between companies and companies that provide ICT services and has promoted ongoing dialogue among financial companies to detect risks that threaten the stability and operability of the sector.
– Adaptation of internal processes. Although the financial sector had already made significant progress in terms of digitalization, including cyber risk management, its internal policies and the dynamics of internal processes are now aimed at meeting the requirements of digital operational resilience.
– Improved image. Although adapting to this new regulatory scenario has been a challenge for financial institutions, the implementation of DORA has strengthened confidence in the sector thanks to its commitment to security and data protection.
