The Digital Operational Resilience Act (DORA) is part of the Commission’s Digital Finance Strategy that was published in September 2020. DORA’s primary objective is to enhance the IT security of financial entities. It aims to establish a comprehensive digital operational resilience framework across the European banking, insurance and investment sectors, requiring financial entities in its scope to comply with digital security and reporting requirements to mitigate their Information Communication Technology (ICT) risks.

DORA started to apply, together with its level 2 measures, on 17 January 2025. Insurance intermediaries who are SMEs and microenterprises are exempted from the scope of DORA and its level 2 measures. Opt-out investment firms under MiFID II are exempted as well.  Larger insurance intermediaries are within the scope of DORA (more than 250 persons, an annual turnover of more than €50 million and/or an annual balance sheet of more than €43 million).  In some cases, (any) intermediaries, if considered by insurers as ICT Third Party Providers or in the context of delegations of authorities under Solvency II, may have to comply with some DORA requirements.

DORA has assigned new tasks and roles to the European Supervisory Authorities (EIOPA, ESMA and EBA – the ESAs), as well as the development of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on certain provisions of the DORA Regulation. RTS and ITS of the ESAs aim to clarify the provisions of a European legislative text and to ensure a coherent harmonisation of the defined areas.

The EU Cybersecurity Act (CSA) was adopted in 2019. It gave the European Union Agency for Cybersecurity (ENISA) a permanent status and created a European Cybersecurity Certification Framework (ECCF).  As a reminder, ENISA oversees cybersecurity EU legislation such as the NIS2 Directive, the Cyber Resilience Act, the Cyber Solidarity Act (CSoA), or the Digital Operational Resilience Act (DORA).  The ECCF can be used to create European certification schemes for ICT products and services.

The Commission's 2025 work programme has a strong focus on simplification, which is identified as a prerequisite to boost prosperity and resilience of the Union.

The mission letter directed at the Executive Vice-President Henna Virkkunen from President Ursula von der Leyen underlines the importance for the European Union of ensuring high standards in cybersecurity and improving the adoption process of European cybersecurity certification schemes. The revision of the CSA is also one of the initiatives foreseen under the ProtectEU Strategy.

As the CSA is not a sector-specific regulation, it could apply to intermediaries if they use ICT systems that fall under the certification schemes or if they provide ICT services. It is important to avoid duplication and/or fragmentation of the framework for intermediaries, and we need to remind the Commission to take into account the already existing sector-specific rules (for instance, DORA for the financial sector).

Data and technology are increasingly driving changes in the insurance sector, producing new business models, insurance products and ways for firms, and in particular insurance intermediaries, to engage with their clients.

In June 2023, together with one set of measures concerning the banking sector and dealing with the revision of the Payment Services Directive (open banking), the Commission published a proposed Regulation for a framework for Financial Data Access (FIDA). It directly concerns the insurance distribution sector.

As in DORA, micro and SME insurance intermediaries and ancillary intermediaries are excluded from the scope of the FIDA proposal “to ensure proportionality (…) for reasons associated with their size or the services they provide, which would make it too difficult to comply with”. The data users within the scope of the Regulation should indeed be subject to the DORA requirements and therefore be obliged to have strong cyber resilience standards in place to carry out their activities.

The proposal establishes a framework governing access to and use of customer data in finance, including insurance. Financial data access refers to the access to and processing of business-to-business and business-to-customers (including consumers) data upon customer requests across a wide range of financial services. It builds on the already existing “open banking” provisions introduced by the Payment Services Directive (PSD2) that regulate access to customer data held by account-servicing payment service providers.

The development of the use of AI systems by more and more sectors prompted the European Commission to propose several pieces of legislation aimed at regulating its use, such as the AI Act. Insurance and financial intermediaries using AI systems will be affected by the framework.

The Regulation (EU) 2024/1689 (the AI Act) was published in the Official Journal of the EU in July 2024.  It applies to all sectors of the economy, including insurance.  It follows a risk-based approach and classifies AI systems into four categories according to their risk level: prohibited, high risk, limited and minimal risk.  The AI Act defines a comprehensive set of governance and risk management measures that high-risk systems need to comply with, alongside the requirements already in place under sectoral legislation.

AI systems classified as having limited and minimal risk under the AI Act continue to operate without additional measures under the AI Act, except for a set of transparency rules (e.g. need to inform the customer that he is interacting with an AI system), the need to promote AI literacy among staff, and the development of voluntary codes of conduct. The use of such AI systems by insurance undertakings and intermediaries are subject, however, to governance and risk management rules set out in sectoral legislation.