Implications of the Digital Operational Resilience Act (DORA) on the Financial Institutions Sector

The Digital Operational Resilience Act (DORA) is a significant legislative framework designed to enhance security and resilience for financial institutions in Europe. It focuses primarily on network security, casts a wide net that extends beyond cyber security to affect various aspects of governance, insurance policies, and broader operational strategies within financial institutions.

This report demonstrates the multifaceted implications of DORA, focusing on the implications for insurance, governance, risk management, and regulatory compliance in the financial services sector.

DORA applies to financial entities operating within the EU and their critical third-party technology service providers supporting them, including those from outside the EU.  Under DORA’s mandate, financial market participants must comply with strict and complex requirements for various aspects of information and communications technology (ICT) risk management, ranging from reporting and incident management to resilience testing and third-party risk management. As of January 17, 2025 the European Supervisory Authorities (ESAs) have the power to impose fines for non-compliance.

While it remains uncertain how fines will be applied by different EU member states, similar regulations like GDPR suggest that fines are intended to make non-compliance costly for both large and small institutions, with regulators focusing on improving behaviours and practices, reserving strict penalties for the most serious offenders.  Therefore, institutions found non-compliant with DORA may face legal costs and exposure to fines, or they could enter into resolution agreements mandating changes in governance practices. Therefore, the legal ramifications of an investigation or a breach extend beyond immediate financial liabilities to long-term reputational damage and operational disruptions.

From an insurance perspective, some financial costs arising from negligent non-compliance could fall within the scope of several insurance policies.  For example, the governance aspects could implicate Directors and Officers (D&O) insurance, and allegations of non-compliance may trigger a Financial Institutions Professional Indemnity (FIPI) insurance, which traditionally provides broad cover for regulatory actions, and/or Cyber insurance. Consequently, Insurers will likely be reviewing their policies amidst concerns of “silent” cover.  Financial institutions should likewise conduct a thorough review of their insurance policies.

As institutions navigate the complexities of compliance, policy wordings must be scrutinised to ensure each adequately captures risks associated with DORA. Importantly, insurances under DORA should trigger coverage for damages arising from claims linked to negligent non-compliance and should also provide for legal fees when they arise from investigations, provided such expenses fall within insurable limits. However, it is crucial to note that insurance cannot serve as a blanket safeguard against non-compliance; institutions cannot expect coverage for business risks stemming from deliberate inaction or insufficient compliance efforts. The insurability principal rests on the nature of risk being fortuitous, rather than an inevitable outcome of neglect.

Insurance policies may offer more than risk transfer, some may serve as a tool to support compliance efforts; this could be helpful to smaller institutions who may find the burden of compliance is high.  Cyber insurance providers, for example, can play an important role.  Simply seeking quotes from insurers can provide valuable insights into ICT risk management practices in place. Such assessments can facilitate a better understanding of a firms’ operational resilience while the insurance simultaneously enhancing their operational resilience by offering incident response services, and their partners can offer crisis management training and risk assessments.

Importantly, DORA compliance may yield beneficial effects for insured organisations once they demonstrate adherence to its standards. Insurers are increasingly recognising the value of resilient organisations and may incentivise compliance by fostering greater competition in the insurance marketplace. Institutions that comply with DORA may find that insurers streamline underwriting processes, thereby reducing administrative burdens associated with lengthy applications and extensive questioning. Over time, maintaining a compliance status could enhance the relationship between the insured and the insurer, aligning incentives towards a mutual goal of operational resilience.

In conclusion, the DORA represents a watershed moment for the financial institutions sector in Europe. Beyond the immediate implications for network security, DORA invokes a comprehensive reconsideration of governance frameworks, risk management strategies, and insurance policy adequacy within financial institutions. As these organisations adapt to the new regulatory landscape, they will not only enhance their resilience against digital threats but may also reconfigure their relationships with insurers and regulators in pursuit of a more secure and compliant operational future.

We aim to host / would be happy to arrange a webinar for institutions with a specialist law firm who can provide further detail on the impact of this regulation.  Please get in touch if you are interested in attending.