Resilience and cybersecurity as the foundation of digital infrastructure: insurers and software providers are in the same boat

An EU regulation focused on resilience and cybersecurity

In the digital age, complex ICT systems play a significant role in the functioning of key economic sectors, including the financial sector. The use and connectivity of digital systems and products with digital elements are now basic characteristics of financial firms. The systemic risks rise with their widespread use. Cyber threats, outages and other types of disruption are commonplace.

In recent years, the European Union has taken major steps to bolster the cybersecurity and resilience of key economic sectors through regulation. NIS 2, DORA and CRA form the framework for ensuring the security and resilience of digital technology and, in turn, for earning the trust and acceptance of users. Regulation is the cornerstone of safeguarding technological advancements in the long term.

NIS 2 (EU) 2022/2555 – Cybersecurity for network and information systems

The European NIS 2 Directive, which is to be implemented into national law by the member states of the EU, aims to raise the common level of cybersecurity. Cybersecurity encompasses the protection of network and information systems (NIS), their users and other data subjects against cyberattacks and threats. NIS 2 replaces its predecessor (NIS 1), defines a broader scope of application, sets clearer regulations and introduces stronger regulatory instruments. For one, the directive establishes a network of Computer Security Incident Response Teams (CSIRTs) to exchange information on cyber threats and respond to incidents.

DORA (EU) 2022/2554 – One for all in the financial sector

The European Digital Operational Resilience Act is a sector-specific regulation designed to strengthen the European financial market against digital risks and ICT-related incidents and ensure that financial entities and their digital partners have a high level of digital operational resilience. As emphasised by the German Federal Financial Supervisory Authority (BaFin), almost all monitored institutions fall under DORA and almost everything is addressed – from cybersecurity to ICT risks to resilience. As a sector-specific act of the European Union concerning financial entities, the provisions described here apply in lieu of the NIS 2 provisions if they are more specific (lex specialis).

CRA (EU) 2024/2857 – Cybersecurity for products with digital elements

The European Cyber Resilience Act (CRA) is a regulation on cybersecurity requirements for products with digital elements. The regulation aims to establish an EU-wide framework for establishing comprehensive cybersecurity requirements so that hardware and software products with fewer vulnerabilities can be brought to market and manufacturers address security consistently throughout the entire product life cycle. Principles like ‘security by design’ must be taken into consideration just as much as the creation of software bills of materials (SBOM) or the sharing of information about critical vulnerabilities and severe security incidents. The CRA requirements apply to all products with digital elements, from affordable, basic products to complex B2B products and from pure software products (such as policy management software and computer games) to hardware products with networked functions (such as smartphones). The CRA defines certain products as ‘critical’ or ‘important’ products that are subject to strict conformity assessments, some of which must be performed externally. Standard products are assessed by the manufacturer itself.

More than just the product: DORA expands the scope of service

The sector-specific DORA is currently the main talking point in the insurance sector. By April 2025, insurers and providers of occupational pension schemes must document and categorise the ICT services they procure in a register of information and assess whether they support important or critical functions.

If this is the case, stricter or extended requirements apply to reporting and record-keeping obligations, subcontracting, specific ICT security measures, participation in threat-led penetration tests (TLPTs), the composition and amendment of contractual agreements, the implementation and testing of business continuity plans and more.

Insurers and their digital partners: new means of collaboration in the digital era

In late 2026, attention will shift to the digital partners of insurers – product providers. The first implementation stage of the CRA requires product manufacturers to report any actively exploited vulnerabilities and serious security incidents.

NIS 2, DORA and CRA will have a direct impact on the way in which insurers work with ICT providers. Whenever products or services are classed as ‘critical’ or ‘important’ under one regulation or another, the contractual partners are subject to stricter requirements. Cybersecurity and resilience will become a challenge that has to be overcome by working as partners during manufacturing, operation and maintenance.

In future blog articles, we examine specific questions relating to regulations, resilience and cybersecurity.