The Digital Operational Resilience Act (DORA) applies across all financial services, but banks and insurance companies face different challenges and requirements based on their business models.
Who Does DORA Apply To?
Banking Sector
DORA applies to:
- Banks and credit institutions
- Payment institutions
- Electronic money institutions
- Investment firms
- Central counterparties
- Trade repositories
Insurance Sector
DORA applies to:
- Insurance and reinsurance undertakings
- Insurance brokers
- Insurance distribution agents
- Credit institutions providing insurance
Key Differences: Banking
ICT Risk Profile
- Complexity: Higher technological complexity
- Interconnectedness: Deep integration with payment systems
- Attack Surface: Large attack surface due to online banking
- Criticality: Considered critical infrastructure
Specific Challenges
- Payment Systems Integration: Must maintain resilience of payment infrastructure
- Third-Party Dependencies: Extensive cloud and fintech provider relationships
- Cross-Border Operations: Multiple regulatory jurisdictions
- Real-time Processing: Zero-tolerance for downtime
TLPT Requirements for Banks
- Large banks: Annual threat-led penetration testing
- Medium banks: Every 2 years
- Smaller banks: Every 3 years (with flexibility)
- Focus on payment systems and critical services
Incident Thresholds for Banks
- Major incidents: Customer impact, financial loss, reputation damage
- Reporting timeline: 72 hours for major incidents
- Notification: To supervisors and potentially customers
- Documentation: Detailed root cause analysis required
Key Differences: Insurance
ICT Risk Profile
- Operational Focus: Digital channels secondary to underwriting
- Data Sensitivity: Customer personal and health data
- Business Model: Less real-time dependent
- Systemic Risk: Lower direct systemic importance
Specific Challenges
- Data Privacy: Handling sensitive health and personal information
- Legacy Systems: Often embedded in legacy policy management systems
- Distribution Networks: Complex broker and agent networks
- Claims Processing: Critical operational resilience requirement
TLPT Requirements for Insurance
- Large insurance companies: Annual or every 2 years
- Medium insurers: Every 2-3 years
- Smaller insurers: Every 3-4 years (with flexibility)
- Focus on customer data and claims systems
Incident Thresholds for Insurance
- Major incidents: Claims processing failures, data breaches
- Reporting timeline: 72 hours for major incidents (same as banks)
- Notification: To supervisors and affected customers
- Documentation: Incident response documentation required
Comparison: Banking vs Insurance Challenges
| Aspect | Banking | Insurance |
|---|---|---|
| Main Challenge | Payment system resilience | Data privacy and claims processing |
| Testing Frequency | Annual for large banks | Every 2-3 years for large insurers |
| Critical Systems | Payment processing, Trading | Claims processing, Underwriting |
| Vendor Dependency | High (cloud, fintech) | Medium (policy management) |
| Regulatory Intensity | Very High | High |
Implementation Priorities by Sector
Banking Institutions Should Prioritize:
- Payment system resilience
- Third-party fintech/cloud provider management
- Advanced threat detection and response
- Business continuity for critical services
- Frequent security testing (annual TLPT)
Insurance Companies Should Prioritize:
- Claims system availability
- Customer data protection
- Broker/agent network security
- Policy management system resilience
- Compliance data management
Cross-Sector Requirements
Both sectors must address:
- ICT risk governance and board oversight
- Incident detection and reporting
- Business continuity and disaster recovery
- Third-party risk management
- Staff security awareness
- Regulatory reporting
Timeline for Both Sectors
- January 17, 2025: DORA comes into full effect
- First Assessment Period: Q3 2025
- Ongoing: Continuous compliance required
