Source: OJ L 333, 27.12.2022, pp. 153–163

Current language: EN

Article 2 Amendments to Directive 2009/138/EC

Summary What does Article 2 of the DORA directive say?

This article amends the Solvency II Directive (2009/138/EC) to align it with DORA.

It makes two targeted changes: first, it explicitly requires insurance and reinsurance undertakings to set up and manage their network and information systems in accordance with DORA when ensuring business continuity; and second, it carves out ICT risk management from the scope of delegated acts that the Commission can adopt under Solvency II, reflecting that DORA now governs that domain directly.

Important points:

  • Insurance and reinsurance undertakings must set up and manage their network and information systems in accordance with DORA as part of their broader continuity obligations.
  • The Commission's delegated act-making powers under Solvency II are narrowed, explicitly excluding elements and functions related to ICT risk management, as these fall under DORA.
  • This article reflects the broader pattern of the directive: ensuring that sector-specific legislation defers to DORA on all ICT-related matters rather than creating parallel or conflicting requirements.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Directive 2009/138/EC is amended as follows:

  1. in Article 41, paragraph 4 is replaced by the following:

    1. Insurance and reinsurance undertakings shall take reasonable steps to ensure continuity and regularity in the performance of their activities, including the development of contingency plans. To that end, the undertakings shall employ appropriate and proportionate systems, resources and procedures, and shall, in particular, set up and manage network and information systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(16).

  2. in Article 50(1), points (a) and (b) are replaced by the following:

    1. ‘the elements of the systems referred to in Article 41, Article 44, in particular the areas listed in Article 44(2), and Articles 46 and 47, other than the elements concerning information and communication technology risk management;

    2. the functions referred to in Articles 44, 46, 47 and 48, other than functions related to information and communication technology risk management.’.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod