Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is part of the Commission’s Digital Finance that was published in September 2020. DORA aims to establish a comprehensive digital operational resilience framework across the European banking, insurance and investment sectors, requiring financial entities in its scope to comply with digital security and reporting requirements to mitigate their information communication technology (ICT) risks.

Micro and SME-sizes insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries are not in the scope of DORA and MiFID II “opt-out investment firms” are also exempted from DORA (small and non-interconnected investment firms that are not under the opt-out provision of MiFID II have a lighter DORA regime).  Large insurance intermediaries (that are not defined as micro or SMEs) are in scope. DORA rules will, however, be applied in accordance with the principle of proportionality, taking into account the size, the nature, scale and complexity of their services, activities and operations, and overall risk profile.

Markets in Crypto-Assets Regulation (MiCA)

The MiCA proposal covers issuers of unbacked crypto-assets, and so-called “stablecoins”, as well as the trading venues and the wallets where crypto-assets are held. The proposal covers intermediaries when selling with advice unit-linked life insurance products with crypto-asset funds as underlying investments.

In its position on the MiCA proposal, the European Parliament amended the article on advice on crypto assets of the proposal and introduced a ban on remuneration “paid or provided by an issuer or any third party or a person acting on behalf of a third party in relation to the provision of the service to their clients.”

The EU Cybersecurity Strategy is an initiative aimed at building resilience to cyber threats through the Union and ensuring that citizens and businesses benefit from trustworthy digital technologies. In order to implement this strategy, the European legislators are working on several legislative proposals. The Cyber Resilience Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the market across the EU. The Cyber Resilience Act will complement the Directive on measures for high common level of cybersecurity across the Union (NIS2). The Cyber Solidarity Act aims to improve the preparedness, detection and response to cybersecurity incidents across the EU.

Data and technology are increasingly driving changes in the insurance sector, producing new business models, insurance products and ways for firms, and in particular insurance intermediaries, to engage with their clients.

As a follow-up to its September 2020 Digital Finance Strategy, the aim of which is, amongst others, to create a European financial data space to promote data sharing and open finance, including insurance, in May 2022, the Commission launched five consultations on open finance and the review of the Payment Services Directive 2 (PSD2).  The results are likely to serve as input for impact assessments accompanying legislative proposals revising the PSD2 and putting in place an open finance framework, expected to be published at the end of June 2023.

The development of the use of AI systems by more and more sectors prompted the Commission to propose several pieces of legislation aimed at regulating its use. Insurance and financial intermediaries using AI systems might be affected by the framework.  The developing framework currently includes the proposed AI Act and the proposed EU rules on civil liability for AI.

It is worth recalling here that in June 2021 EIOPA’s working group on digital ethics (in which BIPAR was represented) published a report on “Artificial intelligence governance principles” which contains a number of non-binding principles addressed to both insurance undertakings and intermediaries when using AI systems. These principles include, among others, the principle of proportionality, the principles of fairness and non-discrimination, the principle of transparency and the principle of human oversight.

The role of intermediaries to facilitate ethical use of AI or to prevent its unethical use is recognised in the Report. For example, the Report states that “Insurance intermediaries can play an important role in the prevention for the use of poor quality data since, in their advising activ­ities, they would be able to detect such potential poor data usage, in all areas of the value chain where they are involved”.

As proposed by the Commission in May 2022, this Directive aims to amend the rules established back in 2002, strengthen consumer rights and foster the cross-border provision of financial services in the Single Market. The Commission’s evaluation of the DMFSD indicated that its relevance decreased given the volume of product/sector specific measures which contain protective provisions for consumers (e.g. IDD, CCD, PRIIPs or GDPR) and the rapid pace of technological innovation. However, the Commission noted the ongoing relevance of the DMFSD in areas where financial products are not yet subject to product-specific EU legislation (“safety net feature”).

The current DMFSD applies to intermediaries when distributing insurance/financial products under an organised distance sales/service provision scheme and exclusively via one or more means of distance communication.  The revised Directive still applies to intermediaries.

The revised Directive repeals the existing DMFSD while including relevant aspects of consumer rights regarding financial services contracts concluded at a distance within the scope of the horizontally applicable Consumer Rights Directive - that does not currently apply to financial services - in a dedicated chapter on distance contracts for consumer financial services. The new Chapter includes, amongst others, revised provisions on pre-contractual information, right of withdrawal and adequate explanations.

It is expected that the revised Directive, as provisionally agreed, ensures that its provisions do not duplicate the ones of other EU texts already applying to the insurance (distribution) sector (prevalence of sectoral rules).  This is an important principle for our sector. This means that the revised provisions will apply to the insurance (distribution) sector only to a limited extent, i.e. when the IDD, MiFID II, PEPP, Solvency II and other existing EU text applying to our sector do not contain similar rules to the revised ones (for example, when concluding an insurance contract at a distance, an intermediary will only have to comply with the IDD pre-contractual requirements and not with the ones of the revised DMFSD).

Since December 2020, the European legislators have been working on a set of new rules for all digital services, including cloud services, messaging, social media, online marketplaces and other online platforms as well as app stores that operate in the EU. These new sets of rules are contained within the Digital Services Act (DSA) and the Digital Markets Act (DMA). Both Acts create a horizontal framework for all categories of online services, contents and products, including financial services and activities.

The main purpose of these two pieces of legislation is to ensure that “what is illegal offline is equally illegal online”. For our sector, this means, for example, comparison websites that provide their online services to businesses and consumers which are established in the EU, will have to comply with due diligence obligations imposed on online platforms, irrespective of their own place of establishment. On the other hand, intermediaries that provide their financial services online as users of a platform, will be entitled to the rights accorded to them as “recipients” of the website’s services. Intermediaries that provide their services via an online platform (either their own platform or as users of a platform) have to also comply with the sector-specific rules and competition law.

In addition to the General Data Protection Regulation (GDPR), the European legislators are working on implementing the European Strategy for Data which aims to create a single market for data in order to ensure that more data becomes available for use in the economy and society while keeping the people and companies who generate that data in control.  The European Strategy for Data materializes through two pieces of legislations: the Regulation on European data governance (Data Governance Act) and the proposed Regulation on harmonised rules on fair access to and use of data (the Data Act).  While the Data Governance Act creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions. Both acts will apply across sectors and could impact insurance and financial intermediaries insofar as they receive and share data.

In November 2021, the European Commission adopted a package of measures establishing a European single access point (ESAP).

The ESAP aims at contributing to the achievement of the CMU objectives by providing EU-wide access to information published by financial entities, including by insurance and financial intermediaries, that is relevant to capital markets, financial services and sustainable finance, i.e. mainly information about their economic activities and products. The ESAP is directed primarily to users such as investors, financial analysts and market intermediaries, for example, asset managers, advisers or data aggregators.

The information that will be publicly accessible on the ESAP will be collected by designated collection bodies (mainly EIOPA for our sector) and will be accessible through a single application-programming interface (API). By providing data in digital format (data extractable or machine-readable format), the ESAP is intended also to be a cornerstone of the EU Digital Finance Strategy that would enable a planned transition to data-driven finance.

The package includes a proposed ESAP Regulation and two other proposals (an Omnibus Directive and an Omnibus Regulation) that will amend a number of existing EU Directives and Regulations. These texts are listed in the Annex to the proposed ESAP Regulation. For our sector, the key EU texts of interest are the following EU Directives:  IDD, UCITS, Solvency II, MiFID II, IFD and IORPs, and the following EU Regulations: PRIIPs, PEPP, IFR, SFDR and Taxonomy.