Question ID: DORA 164 - 3217
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: 2(3)(b)
Status: Rejected
Date of submission: 23 Dec 2024
Question
In connection with the withdrawal the "Guidelines on information communication technology security and governance", for those insurance undertakings that fall outside the scope of DORA due to size, but falls within Solvency II in respect of system of governance, what guidelines are they expected to follow after the withdrawal of the EIOPA-BoS-20/600?
Background of the question
An insurance undertaking is exempted from DORA due to it's size in line with DORA Article 2 (3. (b)). However, due to the local regulatory requirements, the entity is required to comply with Solvency II corporate governance, including the guidelines on informtion communication technology security and governance. When the guidelines EIOPA-BoS-20/600 are withdrawn, what are the requirements for those entities that do not fall within the scope of DORA.
EIOPA answer
The question has been rejected because the issue it deals with is already addressed in the regulatory text (Article 2 of DORA).