An insurance company that previously followed the EIOPA guidelines on communication technology security and governance is now uncertain what is applicable to them, as they are exempt from DORA and the EIOPA guidelines have been revoked with effect from 17th January 2025.

This question has been rejected because the question is not sufficiently clear and has not sufficiently identified a provision of Regulation (EU) 2022/2554 adopted under that legislation which creates uncertainty for which an explanation is merited regarding their practical implementation or application. The following bilateral answer, not to be published, is proposed: To be sent to the submitter bilaterally. The scope of DORA and of the withdrawn EIOPA guidelines on ICT Security and Governance is the same (i.e. undertakings within the scope of Solvency II Directive) therefore it is not clear to what the submitter makes reference when says insurers that fall within the scope of EIOPA guidelines and DORA.