At Belzuz Abogados, S.L.P., as specialists in Insurance Law, we highlight the significance of the EU’s Operational Resilience Regulation—better known as DORA—which entered its application phase on 17 January 2025. Although DORA has been in force since 16 January 2023, the European Union established a two‑year transition period to allow the financial industry to adapt before full implementation.
DORA modifies several existing regulations—(EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011—with the overarching goal of reinforcing the digital security of financial institutions, including banks, insurers, and investment service firms. The Regulation seeks to ensure that the European financial system can remain resilient in the face of significant ICT‑related disruptions, protecting institutions not only from cyberattacks but also from operational failures, and ultimately strengthening customer confidence in an increasingly digital marketplace.
Given the sector’s reliance on technology, reducing exposure to ICT‑related vulnerabilities has become essential. As noted by the European Systemic Risk Board in 2020, inadequate management of digital risks can trigger major service outages within financial institutions and potentially spill over into other industries.
The Regulation covers a broad set of obligations, including ICT risk management, oversight of third‑party ICT providers, digital operational resilience testing, incident reporting, information‑sharing frameworks, and the supervision of critical external service providers. DORA also consolidates previously dispersed rules relating to operational resilience, eliminating inconsistencies and regulatory fragmentation at the EU level.
The choice to adopt a Regulation—rather than a directive—is intentional. As highlighted in Recital 14, this legislative form reduces regulatory complexity, promotes supervisory convergence, increases legal certainty, and helps limit compliance costs, particularly for organisations operating across borders.
The process leading up to DORA’s application has not been without challenges. For instance, EIOPA withdrew two guidelines and announced amendments to an existing opinion in order to streamline the regulatory framework and avoid overlaps in the insurance and pension sectors.
It is also important to note that DORA applies to all financial‑sector entities, each with their own characteristics. Significant efforts were made by ADECOSE and BIPAR to secure an exemption for micro, small, and medium‑sized insurance intermediaries that do not rely solely on automated sales tools. These organisations argued that intermediaries could not realistically comply with the same administrative and technical obligations imposed on insurers. As a result, in November 2021, the European Parliament’s Committee on Economic and Monetary Affairs agreed to exempt intermediaries with fewer than 250 employees—an exemption reflected in Recital 43 of DORA—which reportedly eliminates up to 120 administrative requirements for these entities.
Regarding insurance companies, an ICEA study published in September 2024 revealed that only 1.2% of Spanish insurers considered themselves fully compliant with DORA, while half estimated they were between 50% and 75% of the way through their adaptation process. The main challenges identified include tight implementation deadlines, limited availability of specialised staff, and the need for additional training. Many insurers have been forced to increase budgets, reorganise internal structures, introduce new functions, and hire specialised professionals.
Regulators have also had to prepare for DORA’s entry into application. For example, Spain’s DGSFP created a new division responsible for technological supervision and digital innovation, underwent a security audit under the National Security Scheme, and established a platform to facilitate the reporting of cyber incidents. It also enabled voluntary DORA readiness tests.
To assist market participants, the DGSFP has compiled all relevant DORA materials on its website, including the Regulation itself, related EIOPA publications, secondary legislation, protocols for notifying cyber incidents or threats, and procedures for submitting regulatory queries.
Conclusion: As dependence on digital technologies continues to grow, the financial sector becomes more exposed to cyber risks and operational disruptions—issues that can significantly undermine user and market confidence. A robust regulatory framework such as DORA is therefore essential to ensure that the benefits of ICT innovation can be fully leveraged while keeping associated risks under control.
At the Insurance Law Department of Belzuz Abogados, S.L.P., we remain at your disposal to analyse any issues related to civil liability and insurance with the highest level of professionalism, expertise, and efficiency.