IVASS on DORA
On 14 February 2025 the Italian Insurance Regulatory Authority ("IVASS"), in accordance with the provisions of EU Regulation 2022/2554 - Digital Operational Resilience Act ("DORA Regulation"), published a letter to the market (the "Letter") illustrating the operating methods by which (i) insurance and reinsurance undertakings with registered offices in Italy; (ii) branches in Italy of insurance undertakings with registered offices in a country outside the EEA; and (iii) insurance, reinsurance and large ancillary insurance intermediaries (i.e. intermediaries subject to DORA and those having a number of employees higher than 250 and an annual turnover of more than 50 mln euro or a financial statement of more than 43 mln euro) are required to promptly send to the Authority reports of serious cyber incidents and, only on a voluntary basis, reports of cyber threats.
It should be noted that the DORA Regulation is applicable from 17 January 2025 and aims to achieve adequate resilience of operators and the European financial system, identifying measures for the prevention, response and recovery of operations in the event of a cyber-attack or information incidents.
As mentioned above, the listed reporting subjects are obliged to communicate to IVASS the occurrence of serious cyber incidents.
The DORA Regulation defines "cyber incidents" as follows: ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity. (Where ICT means: a software or hardware asset in the network and information systems used by the financial entity. Please note that all ICT assets are defined in article 6 of the DORA Regulation).
In addition, one of the following conditions must be met:
-the computer systems have been subject to unauthorized access; or,
-at least two of the significance thresholds defined in art. 9 paragraphs 1 to 6 of the Commission Delegated Regulation EU 2024/1772 have been reached*.
Moreover, the Delegated Acts of the DORA Regulation also establish the timing of the three phases of reporting to the competent authority (in our case, IVASS). In particular:
(i)???????????? an initial notification, at the latest within 24 hours of the identification of the incident;
(ii)??????????? an interim report, within 72 hours of the initial notification, with the possibility of sending subsequent updates;
(iii)????????? a final report, within one month of sending the last update of the interim report.
The Delegated Acts also indicate the content of the notifications, characterized by an increasing level of detail.
In the Letter, IVASS clarifies that such reports must be sent to IVASS via electronic certified email, within the aforementioned time frames, to the following addresses:
-????????? [email protected] for insurance undertakings; and
-????????? [email protected] for insurance, reinsurance and ancillary insurance intermediaries.
Finally, please note that IVASS has provided templates for making reports regarding cyber incidents and cyber threats in two attachments to the Letter.
The Letter is available, only in Italian, at the following link: https://www.ivass.it/normativa/nazionale/secondaria-ivass/lettere/2025/lm-14-02-2025/Lettera_al_mercato_14_02_2025.pdf
The DORA Regulation is available, in English, at the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554
?
* Article?9
Materiality thresholds for determining major incidents
1.???The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met where any of the following conditions are fulfilled:
(a) the number of affected clients is higher than 10?% of all clients using the affected service;
(b) the number of affected clients using the affected service is higher than 100?000;
(c) the number of affected financial counterparts is higher than 30?% of all financial counterparts carrying out activities related to the provision of the affected service;?
(d) the number of affected transactions is higher than 10?% of the daily average number of transactions carried out by the financial entity related to the affected service;
(e) the amount of affected transactions is higher than 10?% of the daily average value of transactions carried out by the financial entity related to the affected service;
(f) clients or financial counterparts which have been identified as relevant in accordance with Article?1(3) have been affected.
Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods.
2.???The materiality threshold for the criterion ‘reputational impact’ is met where any of the conditions set out in Article?2, points (a) to (d), are fulfilled.
3.???The materiality threshold for the criterion ‘duration and service downtime’ is met where any of the following conditions are fulfilled:
(a) the duration of the incident is longer than 24 hours;
(b) the service downtime is longer than 2 hours for ICT services that support critical or important functions.
4.???The materiality threshold for the criterion ‘geographical spread’ is met where the incident has an impact in two or more Member States in accordance with Article?4.
5.???The materiality threshold for the criterion ‘data losses’ is met where any of the following conditions are fulfilled:
(a) any impact as referred to in Article?5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements;
(b) any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses.
6.???The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100?000 euro.