Our vacancies
  Contact us   msg group

A strong company group

Login Blog
msg Logo

Regulatory

New reporting requirements for insurers and IT service providers – Part 1: Financial sector-specific regulations in Europe and Switzerland

by Alexandra Helmert , Stefan Nörtemann / 14. July 2025

Introduction

The ongoing digitalisation and intensive use of complex IT systems are shaping the way insurance companies work today.

 

This development opens up opportunities, but also brings with it growing risks. Cyber attacks, system failures and other disruptions are threats to which insurers are increasingly exposed.

 

To counteract this, European and Swiss legislators have created frameworks in recent years that aim to achieve greater cyber security and resilience. A key component of these requirements is clear mechanisms and procedures for dealing with serious incidents, in particular their reporting.

 

These reporting obligations apply not only to insurers themselves, but also to their IT service providers, i.e. external software providers and IT service partners. A comparison of the regulatory requirements in the EU and Switzerland shows that the regulatory requirements pursue the same objectives and have many similarities. However, a closer look also reveals differences, for example in terms of reporting channels, deadlines and content, some of which are significant – with important implications for all parties involved.

Reporting obligations in the financial sector: DORA vs. FINMA supervisory circulars

In the EU, the Digital Operational Resilience Act (DORA) regulates the obligations to report ICT incidents in a particularly comprehensive manner. So-called ‘major ICT-related incidents’ (DORA, Art. 30(3)(b)) must be reported. These are events that have a significant adverse impact on the network and information systems of a financial institution, in particular if critical or important functions are affected (DORA, Art. 3(22)). Reportable incidents include, among others: cyber security incidents, system or process failures, payment-related disruptions, external events (e.g. caused by service providers or natural events), and other relevant disruptions.

 

What constitutes ‘major’ is governed by detailed criteria and thresholds set out in separate delegated regulations – in particular in (EU) 2024/1772, (EU) 2025/301 and (EU) 2025/302. These also define the reporting deadlines to be observed and the information required for the report.

 

In comparison, the approach in Switzerland is much more focused: According to Art. 29 para. 2 FINMAG*, only ‘cyber incidents of significant importance’ are reportable. In Switzerland, too, the focus is on critical functions, i.e. activities whose impairment could significantly jeopardise the protection of insured persons (FINMA Supervisory Circular 05/2020). Cyber incidents of significant importance must be reported immediately. FINMA defines what ‘immediately’ means in Supervisory Circular 03/2024. The initial report must be made to the responsible FINMA supervisory key account manager within 24 hours of a cyber attack being detected. The full report must be submitted within 72 hours via the web-based investigation and request platform (EHP).

IT third-party providers in the focus of financial supervision

Not only insurers themselves, but also their IT service providers are increasingly coming under the spotlight of regulatory requirements. Both in the EU and in Switzerland, the supervised company remains ultimately responsible, even for incidents that occur in outsourced IT services. Even if it is contractually stipulated that the service provider is responsible for reporting, the responsibility remains with the insurer.

 

If an insurer purchases IT services that affect critical or important functions, or if it outsources such functions entirely, it must ensure that a functioning reporting system is also in place at the third-party provider. Regulatory responsibility therefore does not end at the company’s boundaries.

EU: Reporting obligation also applies to third-party ICT providers

The DORA Regulation expressly stipulates a separate reporting obligation for third-party ICT service providers. All developments that have a material impact on the service provider’s ability to provide ICT services in accordance with the agreed service levels must be reported (DORA Art. 30 (3) (b)).

 

Interestingly, DORA does not specify any deadlines or reporting requirements for the third-party provider itself. For the insurer, however, the reporting deadline – usually 24 hours – begins from the time at which it becomes aware of the incident. If the deadline falls on a weekend or public holiday, the report must be submitted by 12 noon on the next working day at the latest.

Switzerland: Equal treatment of institutions and service providers

In Switzerland, FINMA takes a different approach: here, the same reporting requirements apply to insurers (or: the supervised institution), third-party service providers and any sub-service providers (FINMA Supervisory Circular 03/2024). This equal treatment has a direct impact on reporting practice.

 

The reporting deadline does not begin with the insurer, but rather when either the supervised institution itself or the commissioned third-party provider discovers the cyber incident. The deadlines generally only apply on official banking days – with the exception of particularly serious attacks, which must be reported within 24 hours even on weekends or public holidays.

Close cooperation required – in both jurisdictions

Regardless of the legal areas, the cooperation of service providers in the reporting system is essential. Insurers must ensure that their partners act quickly, in a coordinated manner and in compliance with regulations in the event of an emergency. This poses a particular challenge under Swiss law, as the regulatory obligations apply equally to insurers and service providers.

 

This is precisely where we come in as an experienced service provider with industry focus. Through clear processes, coordinated incident workflows and a deep understanding of the regulatory framework, we create the conditions for compliant and timely reporting. Close cooperation is essential to ensure smooth and coordinated action in an emergency. This is the only way to effectively meet regulatory requirements.

 

 

*FINMAG: Financial Market Supervision Act of the Swiss Financial Market Supervisory Authority

 

 

 

MORE BY
Alexandra Helmert

INTERESTED IN MORE?

Subscribe to our blog and stay well informed.

You can revoke your consent at any time

DORA FINMA reporting requirements
Regulatory
Resilience and cybersecurity as the foundation of digital infrastructure: insurers and software providers are in the same boat
28. April 2025
Regulatory
New reporting requirements for insurers and IT service providers – Part 2
12. September 2025