While European insurers welcome efforts to boost the cyber resilience of the financial sector and to bring cyber rules under a unified framework, it is important to avoid a one-size-fits-all approach.

In its current form, the DORA proposal is too prescriptive, especially in terms of the requirements around ICT risk management. Instead, insurers are calling for a set of rules that can be tailored to individual risk profiles, as different types of entities are exposed to different types of risks and therefore require different types of protection. Furthermore, different financial sector entities have their own unique impact on the operational resilience, performance and stability of the EU financial system and this must also be taken account of.

In the area of ICT third party risk, Insurance Europe strongly supports the proposed monitoring framework for critical ICT service providers and calls for the framework to be accompanied by corresponding regulatory relief for users of these services.

Finally, the envisaged 12-month implementation period is not long enough and should be extended to 36 months.

position