Cybersecurity Concerns in the Insurance Sector


A provisional agreement for new EU cybersecurity legislation which will impact the financial sector has been concluded. This may most likely pose challenges for the insurance sector in particular.

The European Council presidency and the European Parliament have concluded a provisional agreement for the Digital Operational Resilience Act (the “DORA”). The aim of the DORA is to strengthen cybersecurity obligations for the financial sector as a whole. While this may entail a somewhat heavier burden in terms of cybersecurity compliance for insurance companies and others, it may also be viewed as a reason to enhance companies’ IT frameworks. The DORA will furthermore increase the burden on the financial sector regarding e.g., IT service provider contract compliance.

The insurance sector, in contrast to banks and other actors within the financial sector, has been left outside of the scope of EU cybersecurity legislation since insurance companies are exempted from the rules in the Network and Information Security Directive (the “NIS Directive”).

The DORA, however, will entail cybersecurity obligations for financial entities including insurance companies, mainly through the use of a financial entities’ contractual obligations with their IT service providers. These obligations include, inter alia, information and communications technology risk management (including data backup policies and cyber-attack response), incident reporting and recording obligations, resilience testing and obligations concerning the sharing of information.

While there are existing EU rules regarding cybersecurity for the insurance sector, e.g., EIOPA’s recommendations on outsourcing to cloud service providers and system of governance (including IT risk management), the DORA may well come to pose an organisational challenge for European insurance companies, as well as the financial sector as a whole.
The experts at Norelid Advokatbyrå, assist the firm’s clients to prepare for the legal implications of cybersecurity law. Since the DORA may entail further potential liability related to the contractual relationships with your IT service providers we are here to assist and make sure you are prepared and compliant with applicable rules and regulations. If you would like to know more about how we can assist you and your organisation, you are of course more than welcome to contact us at our reach out to our cyber desk directly.

The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.