Digital finance strategy (DORA – MiCA - DLT)

Digital Operational Resilience Act (DORA)

Together with the adoption of its Digital Finance Strategy in September 2020, the European Commission published its proposal for a Regulation on digital operational resilience for the financial sector (Digital Operational Resilience Act - DORA).  On 28 November 2022, two weeks after it was adopted by the European Parliament Plenary, DORA was adopted by the Council, and on 27 December 2022, it was published in the Official Journal of the EU. It entered into force on 16 January 2023 and will apply as of 17 January 2025.

Legislative proposal for a regulation on markets in crypto-assets (MiCA)

Crypto-assets are defined as “a digital representation of value or rights, which may be transferred and stored electronically, using distributed ledger technology or similar technology” (Article 3.2, MiCA proposal). There are many different types of crypto-assets; a basic taxonomy distinguishes between payment tokens (means of exchange or payment), investment tokens (have profit rights attached) and utility tokens (enable access to a specific product or service).

A pilot regime for market infrastructures based on distributed ledger technology (DLT)

At the end of 2021/beginning of 2022, the EP and the Council reached an agreement on a pilot scheme based on distributed ledger technology (DLT). The Commission's proposal for a Regulation on “a pilot regime for market infrastructures based on distributed ledger technology” was part of the Commission's Digital Finance Strategy and was presented together with the proposal for MiCA and the proposal for DORA. The final Regulation was published in the EU’s Official Journal on 2 June 2022.

Cyber Resilience Act

On 15 September 2022, a proposal for a new European Cyber Resilience Act to protect consumers and businesses from products with inadequate security features was presented by the European Commission. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.

As announced by the Commission’s President Ursula von der Leyen in her State of the Union Address in September 2021, the Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the market across the European Union. She also underlined that the EU should strive to become a leader in cybersecurity.

Open finance

In February 2021, the Commission addressed a request to EIOPA, ESMA and EBA for Technical Advice on Digital Finance and related issues. The three ESAs were asked for advice on how to address the risks and opportunities arising out of digital finance, how to address the related prudential supervisory challenges arising from more fragmented and non-integrated value chains, from “platformisation” and bundling of financial services as well as from groups combining different activities. The ESAs’ Advice to the Commission aims to assist it to address the upcoming challenges and to propose, where relevant, changes to the existing legislative framework.

Artificial Intelligence (AI)

The development of the use of AI systems by more and more sectors prompted the Commission to propose several pieces of legislation aiming to regulate this use. Insurance and financial intermediaries using AI systems might be affected by the framework.  The developing framework currently includes the proposed AI Act and the proposed EU rules on civil liability for AI.

It is worth recalling here that in June 2021 EIOPA’s working group on digital ethics (in which BIPAR was represented) published a report on “Artificial intelligence governance principles” which contains a number of non-binding principles addressed to both insurance undertakings and intermediaries when using AI systems. These principles include, among others, the principle of proportionality, the principles of fairness and non-discrimination, the principle of transparency and the principle of human oversight.

The role of intermediaries to facilitate ethical use of AI or to prevent unethical use of AI is recognised in the report. For example, the Report states that “Insurance intermediaries can play an important role in the prevention for the use of poor quality data since, in their advising activ­ities, they would be able to detect such potential poor data usage, in all areas of the value chain where they are involved”.

Artificial Intelligence Act

In April 2021, the European Commission proposed new rules on artificial intelligence (AI Act). The proposed legislation is cross-sectoral and will apply to both public and private actors inside and outside the EU. It does not, however, apply to private non-professional use.

The proposed AI Act follows a risk-based approach with four levels of risk for AI systems: unacceptable risk, high risk, limited risk and minimal risk. The level of risk determines the obligations to be complied with. In this regard, insurance and financial intermediaries using AI systems that are considered as high-risk will be affected by the new AI rules, including transparency rules.

BIPAR is following the development of the proposal as it goes through the legislative process and monitoring how it will impact the activities of our sector. At this stage, the Commission’s proposal makes no reference to insurance and financial services other than credit institutions as high-risk AI systems.

In July 2022, EIOPA published a letter to the co-legislators advocating for insurance-specific cases not to be included in the list of high-risk AI uses under the AI act. EIOPA explained that any further regulatory steps on use of AI by the insurance sector should be considered in the framework of the existing sectoral legislation and left to the existing supervisory authorities.

However, the draft report adopted by the IMCO and LIBE Committees of the EP on 11 May 2023 add to the list of high-risk AI systems of Annex III, “AI systems intended to be used for making decisions or materially influencing decisions on the eligibility of natural persons for health and life insurance”.

The Council’s position, adopted in November 2022 adds “AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance” to the list but includes an exception for systems put into service by providers that are micro and small-sized enterprises.

The EP Plenary now needs to confirm the adoption of the IMCO/LIBE draft Report before the text can be submitted to trilogue negotiations. Taking into account the EP Committees’ and Council’s positions, it is likely that the final text will include, in the list of high-risk AI systems, a mention of AI systems used in relation to life insurance. 

EU Liability rules for AI

On 28 September 2022, the Commission issued a proposal for a Directive on EU non-contractual civil liability rules for AI. The point of the proposal is to adapt private law to the needs of the transition to the digital economy by laying down harmonised rules for damage caused with the involvement of AI systems.  The proposed Directive contains provisions aiming to proportionally ease the burden of proof in case of damage caused with the involvement of AI systems through the use of disclosure and rebuttable presumptions. It also establishes a possibility, for those seeking reparations to obtain information on high-risk AI systems to be recorded or documented pursuant to the AI Act.

The most relevant provisions are the following:

Rebuttable presumption of causality between non-compliance with duty of care under EU rules and the output or lack of output of AI systems that gave rise to damage.

The claimant still has to prove the AI system gave rise to the damage.

When the claim is directed against the user of a high-risk AI system, and not the provider of said system, the claimant has to establish the user in question did not comply with their obligation to use the AI system in accordance with the instructions of use or used the system in a way that was not intended.

BIPAR responded to the consultation that preceded the Commission’s proposal and will continue to follow the developments of this text through the legislative process.

BIPAR’s position

On AI, BIPAR holds the position that a consistent, transparent, all-encompassing and clear activity-based, risk-oriented regulatory framework should be maintained. In this respect, BIPAR believes the development of rules on digitalisation should happen within the existing sectoral framework and should adapt to its structure. BIPAR insists on the necessity of maintaining a level playing field between all providers of comparable insurance services.

Any governance measures or regulations linked to the use of AI should be proportionate to the potential impact of a specific AI use case on consumers or insurance firms. Such impact should be determined based on the severity of the potential harm and the likelihood of that harm happening. Financial exclusion of customers should be avoided by including, in any framework, rules on the fair use of data, and especially behavioural data.

BIPAR always highlights the fact that insurance and financial intermediaries are already efficiently playing their role through the use of new technologies, including AI. Many of these intermediaries are micro and SME entities that should be treated fairly and proportionately.

Next steps

Both the AI Act and the EU rules on civil liability for AI are still under examination by the European Parliament and the Council. The EP Plenary now needs to confirm the adoption of the IMCO/LIBE Draft Report on the AI Act before the AI Act can be submitted to trilogue negotiations.

BIPAR will continue following the developments of these proposals through the legislative process.

Distance Marketing of Financial Services Directive (DMFSD)

The 2002 Directive on Distance Marketing of Consumer Financial Services (DMFSD) aimed at ensuring the free movement of financial services in the Single Market by harmonising certain consumer protection rules governing this area. It applied horizontally to any service of a banking, credit, insurance, including those of insurance intermediaries, personal pension, investment or payment nature. The Directive set out information obligations to be provided to the consumer prior to the conclusion of the distance contract (pre-contractual information), granted for certain financial services a right of withdrawal to the consumer, and banned unsolicited services and communications from suppliers.

Digital Services Act and Digital Markets Act

The European Commission, the EP and the Council have been working since December 2020 on a set of new EU rules for all digital services, including cloud services, messaging, social media, online marketplaces, and other online platforms and app stores that operate in the European Union: the Digital Services Act and the Digital Markets Act. The new rules introduce a horizontal framework for all categories of content, products, services, including financial services, and activities provided, for example, via online intermediary services.

Data Act and Data Governance Act

The proposed Regulation on harmonised rules on fair access to and use of data, also known as the Data Act, of February 2022, and the proposed Data Governance Act of November 2020, are both part of the overall 2020 European strategy for data.  While the Data Governance Act creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions.

European Single Access Point (ESAP)

In November 2021, the European Commission adopted a package of follow-up measures regarding the Capital Markets Union (CMU). The package includes a proposal for a Regulation “establishing a European single access point (ESAP) providing centralised access to publicly available information of relevance to financial services, capital markets and sustainability”. It also includes two other proposals (an Omnibus Directive and an Omnibus Regulation), that will amend a number of existing EU Directives and Regulations (including, for example, the IDD, MiFID II and the SFDR) in the related fields.