Search QAs

We have a supplier who handles a critical process for us. Although the service itself is not directly ICT-related, the supplier uses ICT systems to deliver these services to us. The supplier believes that they should not be classified as a third party under DORA and therefore do not need an additional agreement. When I make an overall assessment of this

Are Payroll service providers or Payroll software providers within DORA’s scope? And if so, only if they provide services to Banks, Insurance companies, and Investment firms? Or as ICTs would they be subject to DORA independently of their customer?

Is DORA applicable only to Financial Institutions or can also be applicable to any other non-Financial organizations?

Art. 8 VII: Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems. What does DORA mean by connecting?

For the assessment of the Solvency Capital Requirement (SCR) using a partial internal model, is it permissible for a solo insurance entity and for an insurance group to model underwriting risks through the partial internal model, while simultaneously applying the standard formula equity shock of 22% for long-term equity investments, provided that all the conditions set out in Article 171a of the Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 are fulfilled?

We were approached by representatives of the major ISPs in AT. They expressed concern about divulging their sub-contractors, as the information is currently not public and could be actionable by potential attackers. Should these sub-contractors indeed be disclosed by the ISPs to a large number of financial undertakings?

Does EIOPA have, and can it make available, an electronic version of the register of information, the content and template of which are set out in the draft commision implementing standard laying down implementing technical standards with regard to standard templates for the register of information according to Regulation (EU) 2022/2554 of the European Parliament and of the Council?

We understand that in Template 27.01.b. (Man made catastrophe risk - Liability) the “Earned premium last 12 months” should be considered, is this correct?

The first question is: Does the exception in Article 24(3), second subparagraph, apply to travel insurance sold together with a credit card? A credit card is not a payment account as defined in Article 2(3) of Directive 2014/92/EU, but a credit card typically is linked to an underlying payment account. Is the sale of travel insurance together with a credit card therefore covered by the ex-ception, or does the requirement to offer the insurance separately apply? The second question is: Depending on the answer to the first question, to what extent is a de-mand and needs assessment required under Article 20 of the IDD when travel insurance is sold as an inseparable part of a credit card package? We would appreciate EIOPA’s clarification on the application of these provisions in the context described.