DORA: How the New Digital Resilience Regulation is Transforming the Financial Sector in Portugal

Digitalisation is rapidly reshaping every sector, and the financial industry is no exception. However, the increasing reliance on technology has also brought new challenges, such as cyberattacks, system failures, and vulnerabilities linked to third-party providers. To address these risks, the European Union introduced the Digital Operational Resilience Act (DORA), aiming to establish a harmonised framework for technological security in the financial sector.

 

This regulation, which came into effect on 16 January 2023 and becomes fully applicable on 17 January 2025, sets out rules for more than 22,000 financial entities and ICT service providers across the European Union. In Portugal, the implementation of DORA in the insurance sector will be overseen by the Autoridade de Supervisão de Seguros e Fundos de Pensões (ASF).

.

.

What is the DORA Regulation?

The Digital Operational Resilience Act (DORA) addresses the need to establish minimum standards for network and information system security in the European financial sector. As information and communication technologies (ICT) play an increasingly crucial role in financial services, it has become essential to introduce regulatory tools that minimise risks associated with digitalisation.

DORA requires financial entities to develop and maintain robust ICT systems to prevent and mitigate cyber threats, ensuring the continuity of their operations. This regulation is complemented by other legislative acts, such as the NIS2 Directive, and guidelines on third-party risk management and digital security.

.

.

Why is DORA Important for the Financial and Insurance Sectors?

DORA is vital for the financial and insurance sectors due to the exponential growth of cybercrime and the inherent vulnerabilities of these areas. Recent data from CERT.PT and global reports highlight a worrying increase in cybersecurity incidents, with the financial and insurance sectors among the most targeted, accounting for 19% of attacks in Portugal and 21% globally.

.

.

Cybercrime: A Persistent Threat

Cybercriminals are increasingly employing sophisticated strategies, such as phishing, ransomware, and social engineering schemes, to exploit vulnerabilities in financial and insurance systems. These attacks have profound impacts:

• Exposure of Sensitive Data: Directly affects client privacy and regulatory compliance.
• Service Disruption: Can halt critical operations, such as policy processing or financial transactions.
• Financial and Reputational Losses: Undermines consumer confidence and threatens organisational stability.

In a context where 37% of attacks involve phishing and ransomware incidents have doubled in a single year, DORA emerges as a crucial framework to protect the sector. By mandating continuous monitoring systems, incident response plans, and regular digital resilience testing, DORA significantly reduces risks associated with cyber threats.

Moreover, the regulation addresses another critical aspect: the growing dependence on digital infrastructures and third-party providers. By imposing rigorous third-party risk management, DORA ensures that vendors adhere to the highest cybersecurity standards, minimising potential vulnerabilities in the operational chain.

.

.

The Financial and Insurance Sectors as Prime Targets

According to the Marsh 2023 Study, financial and insurance organisations top the list of sectors most attacked, followed by the technology and communication industries. This preference stems from the high volume of sensitive data and financial transactions these organisations handle, making them lucrative targets for cybercriminals.

The IBM X-Force 2024 Report reveals that 71% of cyberattacks occur through legitimate employee accounts, often compromised via phishing or brute force techniques. These figures underscore the need for robust measures like those mandated by DORA.

 

.

.

The Key Pillars of DORA

DORA is based on six fundamental pillars that all affected entities must implement:

1. Governance: Entities must establish an effective internal governance framework to identify, mitigate, and respond quickly to ICT risks. The management body assumes responsibility for overseeing technological and cyber risks.
2. ICT Risk Management: Systems and processes must be adopted to identify and control technology-related risks.
3. Incident Reporting: Entities must report significant ICT-related incidents to the competent authorities (in Portugal, the ASF) within 24 hours.
4. Digital Operational Resilience Testing: Companies must conduct regular tests to ensure they can withstand cyberattacks or other technological disruptions.
5. Third-Party Risk Management: DORA requires stringent oversight of external providers, such as cloud services or subcontracted technologies.
6. Information Sharing: The regulation promotes cooperation between entities and authorities to improve responses to cyber threats.

.

.

 

Which Companies Does DORA Apply To?

DORA introduces specific requirements for financial market participants and applies to over 22,000 entities in the EU, including:

• Credit institutions
• Payment institutions
• Insurance and reinsurance companies
• Insurance and reinsurance intermediaries
• Providers of crypto-asset services
• Investment firms
• ICT third-party service providers

 

.

.

Impact of DORA on the Insurance Sector

For insurance brokers like C1 Broker, DORA presents new challenges and opportunities. In addition to securing their own ICT systems, brokers are responsible for assisting their clients and partners in adapting to this new regulation. Cyber insurance plays a critical role here, not only in protecting company data but also in ensuring business continuity in the event of an incident.

Furthermore, DORA demands stricter oversight of technological providers used by insurance companies, such as data management platforms or cloud services. This additional responsibility underscores the importance of working with tech partners who adhere to the highest security standards.

.

.

 

C1 Broker: A Trusted Partner in Addressing DORA Challenges

At C1 Broker, we have extensive experience supporting companies in managing digital risks. The arrival of DORA reinforces our commitment to offering cyber insurance solutions that not only ensure regulatory compliance but also provide peace of mind during critical moments.

We offer tailored cyber insurance policies for businesses of all sizes, as well as specialised coverage for technology companies facing unique challenges. If you have questions about how DORA may impact your business or need advice on cyber insurance, we’re here to help.

.

.

Conclusion

DORA is not just another regulation; it is a call to action for everyone in the financial sector. It challenges us to be more responsible, resilient, and prepared to face technological risks. At C1 Broker, we are ready to guide your company on this path, ensuring you are equipped for the digital future.

Want to learn more about protecting your business from cyber threats? Visit our page: Cyber Risk Insurance in Portugal.

 

.

.


Sources and Useful Links:

• EIOPA: Digital Operational Resilience Act (DORA)

.

.

Contact us today to learn more about Cyber Risk Insurance and how to protect your business!