The text establishes criteria for the classification, management and notification of risks in the field of ICT. In addition, it incorporates exhaustive recurring tests for these systems and a series of requirements for the management and supervision in the financial sector of the risks derived from ICT services. Thus, information security is strengthened and possible gaps and conflicts that could arise within financial entities are eliminated.
The scope of the regulation incorporates all actors in the financial field at the European level, including insurers and reinsurers, insurance intermediaries or managers of alternative investment funds and management companies.
This new regulation expands the scope of its action, going beyond traditional financial entities, emphasizing the management of technological services by third parties and organizations such as insurers and reinsurers.
“The regulatory requirements are very specific and demanding, which, in general, will force the insurance sector to accelerate its speed of improvement in this field, thus putting itself at a level similar to that of banking, traditionally more mature in the matter. , since they were the first to be targets of cybercriminals”explains Jacinto Muñoz Muñoz, director of Operational Resilience and Crisis Management at MAPFRE. “In terms of opportunity, the DORA regulation should allow the insurance industry to improve its maturity in terms of cybersecurity and digital operational resilience, improving its protection against cyber risk”Add.
In the specific case of Spain, the Spanish Association of Insurance and Reinsurance Brokers (ADECOSE) has excluded small and medium-sized companies (SMEs) and insurance intermediaries with less than 250 employees from this regulation, due to their peculiarities and needs within of this sector.
