Balancing Innovation with Evolving Regulations in the European Union

Innovation and data protection regulations are shaping the future of the property and casualty (P&C) insurance sector in the European Union (EU). A recent survey by Celent identified them both as 2024 priorities for P&C insurance company CIOs, CTOs, and IT architects in EMEA. 86% of respondents have a moderate to significant focus on the regulatory environment, while 81% have the same level of focus on innovation.

This blog explores the Digital Operational Resilience Act (DORA) and the Network and Information Systems 2 (NIS2) Directive, significant new EU regulations that may drive changes in the data protection landscape. It covers how P&C organizations can continue to innovate amidst cybersecurity regulations and how Guidewire's experience with GDPR and partnership with Amazon Web Services (AWS) ensures customers can confidently grow their businesses while adhering to new data protection regulations.

Data Protection in the Insurance Market: A Landscape in Flux

For decades, insurance companies have used data to improve their customer service, operational efficiency, and competitive differentiation. They rely on data to shape the precision and cost-efficiency of the policies they issue and claims they process. The rise of big data analytics, machine learning​,​ and AI has increased the use of personal data for customer service, granular risk assessment​,​ and bespoke policy tailoring.

"To facilitate and ensure innovation amidst data protection regulations, Guidewire's marketplace includes a partner validation process so our customers can innovate with confidence and create differentiated outcomes for their own ecosystems"

Will Murphy, Vice President, Global Technology Alliances

The economy runs on data, and P&C insurance is no exception. Digital platforms generate unprecedented amounts of consumer digital information. At the same time, increasing consumer awareness around data protection and growing digital footprints contribute to a regulatory environment focused on robust data protection protocols.

Evolving regulations have profound implications for insurers. Beyond avoiding fines, these regulations shape how products are developed, and claims are managed and offer an opportunity to gain a competitive advantage by responsibly handling data privacy.

The European Regulatory Climate and Impact on the Insurance Industry

In the EU, the insurance industry operates within a complex web of data privacy regulation. To date, the General Data Protection Regulation (GDPR) has been its flagship. Enacted in May 2018, has pioneered data protection and privacy rights across the EU and globally, substantially affecting insurance practices and policies. However, data privacy legislation continues to evolve with newer regulations emerging for insurance professionals.

Two sets of newer data protection and security regulations are significant to the insurance sector. The first is the Network and Information Systems 2 (NIS2) Directive, which imposes cybersecurity measures across various critical sectors. The second is the Digital Operational Resilience Act (DORA). Unlike NIS2, DORA is specifically tailored for the financial sector, with a concentrated focus on Information and Communication Technology (ICT) risks for financial organizations and their third-party technology providers.

NIS2

The NIS2 Directive is EU-wide legislation on cybersecurity. It augments the guidelines of its predecessor and is designed to improve the collective resilience of critical infrastructure, including financial infrastructure, against cyber threats. The directive was approved in 2022, and its deadline for transposition into law in member states is October 17, 2024.

NIS2's purpose is to mitigate risks by shaping organizations' posture against cyber-attacks. The regulations expand the scope of their predecessor and require robust security measures to protect sensitive customer data from cyber threats. This includes encrypting data in transit and at rest, implementing access controls, and regularly monitoring for any unauthorized access or manipulation of data.

For insurance entities and their technology providers, NIS2 necessitates a more exhaustive approach to compliance, risk assessment, and mitigation. Organizations will be required not only to adopt the specified cybersecurity measures but also to document and demonstrate their adherence to them.

Digital Operational Resilience Act (DORA)

DORA is an EU legislative risk management framework that aims to ensure the digital operational resilience of the financial sector, including insurers and their service providers. Since previous regulations were largely focused on the risk associated with capital allocation, DORA focuses on other areas of risk, including protection, detection, containment, recovery, and repair capabilities against ICT incidents. With this regulation, all provisions regarding risk are amalgamated for the first time and are expected to come into effect in January 2025.

DORA applies to most financial entities, including insurance companies, and to third parties that provide technology services to them. With these requirements, these entities and their technology partners' responsibilities include:

• Implementing and testing digital operational resilience

• Reporting incidents and sharing information about cyber threats and vulnerabilities

• Implementing, testing, and reporting risk management

How to Balance Compliance with Innovation

With a close eye on regulatory requirements, we continue to innovate across our products and accelerators to ensure that customers maintain compliance. At Guidewire, we see regulations as an opportunity for insurers to promote and build trust with their communities. By following and promoting adherence to existing and emerging privacy regulations, insurers' own customers are reassured that innovative new capabilities and services are balanced with stewardship of their data privacy.

Guidewire's network of partnerships, including with Amazon Web Services (AWS), is also a key asset in our compliance work. Like Guidewire, AWS is committed to supporting innovation, resilience, and security. By collaborating closely with AWS for our cloud solutions, we combine their regulatory compliance commitment with our own to bring insurance customers innovative solutions that follow appropriate privacy guidelines and standards.

Learn more at Innovation Days

The EU's commitment to data protection, resiliency, and cybersecurity through regulations like GDPR, DORA, and NIS2 requires a more private and secure data landscape for insurance entities and their technology partners. While these regulations can seem daunting, they also present an opportunity for innovation and differentiation that can propel the P&C insurance industry forward while improving overall data security.

Together with AWS, our cloud partner, Guidewire takes a proactive approach to compliance so insurance companies can meet the requirements of evolving data privacy regulations while continuing to deliver innovative products and services to their customers.

Join us for a day of thought-provoking discussion about balancing business imperatives, technology innovation, and regulatory compliance in the property & casualty insurance industry. This exclusive forum is an opportunity to network with peers and engage with experts in the regulatory field who will share perspectives on charting pathways forward for insurers confronted with existing or impending regulatory regimes.

Global Marketplace Summit Events - please register:

Register for Paris

28 May 2024 - Intercontinental Le Grand, Paris, France

Register for Milan

30 May 2024 - Hotel Principe di Savoia, Milan, Italy

Public link

Please use the above public link if you want to share this noodl on another website.