Insurance EuropeInsurance Europe
EIOPA ICT security and governance guidelines should be principle-based, aligned with wider EU financial services initiatives

Insurance Europe has published its response to a consultation by the European Insurance and Occupational Pensions Authority (EIOPA) on its draft guidelines on ICT security and governance.  

Insurance Europe called on EIOPA to take a more principle-based approach, as its proposals are overly prescriptive in some areas. For example, EIOPA’s proposals would unnecessarily require insurers to establish new functions in their internal ICT security structures, where it would be better to clarify existing security and governance requirements, such as those laid out in Solvency II.  

As part of a more principle-based approach, EIOPA should incorporate more proportionality into its proposals, as the scale and nature of an entity’s activity has a direct impact on ICT security management. For example, the proposals should better recognise that different activities undertaken by insurers pose different risks.  

The proposals also need to be aligned with work currently being undertaken by the European Commission to establish a digital operational resilience framework for financial services.

Finally, the proposed timeline for the application of the guidelines is too short, as it does not allow a reasonable time for transposition at national level and for undertakings to react, should they need to review their compliance. The date of application must be extended to 30 July 2021, at the earliest.

Published 16 March 2020