Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is part of the Commission’s Digital Finance that was published in September 2020.

DORA’s primary objective is to enhance the IT security of financial entities. It will aim to establish a comprehensive digital operational resilience framework across the European banking, insurance and investment sectors, requiring financial entities in its scope to comply with digital security and reporting requirements to mitigate their information communication technology (ICT) risks.

Insurance intermediaries who are SMEs and microenterprises are exempted from the scope of DORA and its level 2 measures. Opt-out investment firms under MiFID II are exempted as well. Larger insurance intermediaries are in scope.  It is possible, however, that under certain circumstances, insurers (or clients) will require (partial or full) DORA compliance of service providers (such as intermediaries) at national level.

DORA entered into force on 16 January 2023 and will start applying - together with its level 2 measures - on 17 January 2025. The Regulation is binding in its entirety and directly applicable in all Member States.

Markets in Crypto-Assets Regulation (MiCA)

The MiCA Regulation will establish uniform rules across the European Union for crypto assets. It covers issuers of unbacked crypto-assets and the so-called “stablecoins”, as well as the trading venues and the wallets where crypto-assets are held. The Regulation covers intermediaries when selling with advice unit-linked life insurance products with crypto-asset funds as underlying investments.

In its position on the MiCA proposal, the European Parliament amended the article on advice on crypto assets of the proposal and introduced a ban on remuneration “paid or provided by an issuer or any third party or a person acting on behalf of a third party in relation to the provision of the service to their clients.”

The EU Cybersecurity Strategy is an initiative aimed at building resilience to cyber threats through the Union and ensuring that citizens and businesses benefit from trustworthy digital technologies. In order to implement this strategy, the European legislators are working on several legislative proposals. The Cyber Resilience Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the market across the EU. It will complement the Directive on measures for high common level of cybersecurity across the Union (NIS2). The Cyber Solidarity Act aims to improve the preparedness, detection and response to cybersecurity incidents across the EU.

Data and technology are increasingly driving changes in the insurance sector, producing new business models, insurance products and ways for firms, and in particular insurance intermediaries, to engage with their clients.

Open Insurance - EIOPA use case

In July 2023, EIOPA published a discussion paper on open insurance which concerns, amongst others, insurance intermediaries. This paper contains a use case on the potential development of an insurance dashboard under the open finance (FIDA) framework. The insurance dashboard presented in the use case would collect and display all of a consumer’s insurance policies in one place, in a user-friendly manner. To do so, it would aggregate and combine information from the different insurance companies and intermediaries with which the consumer has a relationship. The dashboard would also allow other insurance companies and intermediaries to include information on their own products, allowing consumers to compare coverage and prices. The use case is limited in scope and focuses on non-life insurance and specifically on motor and household insurance. EIOPA specifies that the dashboard itself might not offer financial advice, but that it might do so if it is run by a regulated insurance intermediary. This would depend on the concrete model used.

FIDA

In June 2023, together with one set of measures concerning the banking sector and dealing with the revision of the Payment Services Directive (open banking), the Commission published a proposed Regulation for a framework for Financial Data Access (FIDA). It concerns the insurance distribution sector directly.

The development of the use of AI systems by more and more sectors prompted the European Commission to propose several pieces of legislation aimed at regulating its use.  The developing framework currently includes the AI Act and the EU rules on civil liability for AI. Insurance and financial intermediaries using AI systems will be affected by the framework.

On 26 January 2024, the EU co-legislators reached an agreement in trilogue on the Regulation laying down harmonized rules on artificial intelligence (the AI Act). On 13 March 2024, the European Parliament formally adopted the agreement. On 21 May 2024, the Council did the same.

The AI Act is part of the EU’s digital strategy. It aims at providing AI developers, deployers and other operators with clear requirements and obligations regarding specific uses of AI. It adopts a risk-based approach and regulates AI systems based on the risks they present. It also prohibits certain AI systems deemed to present an unacceptable risk.

The AI Act is cross-sectoral, it applies to both public and private EU and non-EU actors. It applies to professional uses of AI systems and does not apply to AI systems essentially used for national security purposes.

Published in the OJ of the EU in December 2023, the revised provisions regarding the distance marketing of financial services aim at modernising the rules established back in 2002 – the Distance Marketing of Financial Services Directive (DMFSD) -, strengthening consumer rights and fostering the cross-border provision of financial services in the Single Market.

The 2002 DMFSD applied to intermediaries when distributing insurance/financial products under an organised distance sales/service provision scheme and exclusively via one or more means of distance communication.  The revised provisions still apply to intermediaries.

The revised provisions were introduced in an additional chapter of the already existing Consumer Rights Directive (CRD), which protects consumers in all kinds of commercial practices. The new Chapter includes, amongst others, revised provisions on the right to pre-contractual information, the right to withdrawal, to adequate explanations and rules ensuring online fairness. Some articles of the other chapters of the CRD will also apply to financial services sold at a distance. The revised CRD repeals the 2002 DMFSD (2002/65/EC).

The Digital Services Act (DSA) and the Digital Markets Act (DMA) create a horizontal framework for all categories of online services, contents and products, including financial services and activities.

The main purpose of these two pieces of legislation is to ensure that “what is illegal offline is equally illegal online”. For our sector, this means, for example, comparison websites that provide their online services to businesses and consumers which are established in the EU, will have to comply with due diligence obligations imposed on online platforms, irrespective of their own place of establishment. On the other hand, intermediaries who provide their financial services online as users of a platform will be entitled to the rights accorded to them as “recipients” of the website’s services. Intermediaries who provide their services via an online platform (either their own platform or as users of a platform) have to also comply with the sector-specific rules and competition law.

The European Strategy for Data, which aims to create a Single Market for data in order to ensure that more data becomes available for use in the economy and society while keeping the people and companies who generate that data in control, materialises through two pieces of legislation: the Regulation on European data governance (Data Governance Act) and the Regulation on harmonised rules on fair access to and use of data (the Data Act).  While the Data Governance Act creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions. Both acts will apply across sectors and could impact insurance and financial intermediaries insofar as they receive and share data.

The ESAP aims at contributing to the achievement of the CMU objectives by providing an EU-wide and easy access to public financial and non-financial information published by financial entities, including insurance and financial intermediaries, that is relevant to capital markets, financial services and sustainable finance, i.e. mainly information about their economic activities and products. Marketing information is excluded. The ESAP is directed primarily to users such as investors, financial analysts and market participants, for example, asset managers, advisors or data aggregators.

The “eIDAS Regulation” is applicable since 2016 and creates a European internal market for the so-called “eTrust Services” by ensuring that these services will work across borders and have the same legal status as traditional paper-based processes. These eTrust services include services that intermediaries can make use of: e-signatures, electronic seals (i.e. the electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity), electronic time stamps (i.e. date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then), electronic registered delivery service (i.e. the equivalent in the digital world for registered mail) and website authentication certificates (i.e. a trust mark for websites).

The eIDAS Regulation ensured that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available (this happens on the basis of mutual recognition; for the private sector the currently applicable legislation only encourages Member States to open the use of eID to the private sector).

In 2018, the European Commission undertook various initiatives to promote eIDAS, amongst others, focusing on SMEs in the financial services sector and BIPAR participated in several events in this respect. The material remains accessible on the Commission’s website.