Balancing Innovation with Evolving Regulations in the European Union

  • Will McAllister

May 15, 2024

Untitled

Innovation and the European regulatory environment are shaping the future of the property and casualty (P&C) insurance sector in the European Union (EU). A recent survey by Celent identified them both as 2024 priorities for P&C insurance company CIOs, CTOs, and IT architects in EMEA. 86% of respondents have a moderate to significant focus on the regulatory environment, while 81% have the same level of focus on innovation.

This blog explores some aspects of the Digital Operational Resilience Act (DORA) and the Data Act, significant new EU regulations that may materially impact the European regulatory framework.

It takes a look at how P&C organizations can continue to innovate amidst privacy and cybersecurity regulations and how Guidewire’s past experience and partnership with Amazon Web Services (AWS) may enable customers to grow their businesses, while adhering to the new legal rules.

Data Protection in the Insurance Market: A Landscape in Flux

For decades, insurance companies have used data to improve their customer service, operational efficiency, and competitive differentiation. They rely on data to shape the precision and cost-efficiency of the policies they issue and claims they process. The rise of big data analytics, machine learning​,​ and AI has increased the use of personal data for customer service, granular risk assessment​,​ and bespoke policy tailoring.

“To facilitate and ensure innovation amidst data protection regulations, Guidewire's marketplace includes a partner validation process so our customers can innovate with confidence and create differentiated outcomes for their own ecosystems”

Will Murphy, Vice President, Global Technology Alliances

The economy runs on data, and P&C insurance is no exception. Digital platforms generate unprecedented amounts of consumer digital information. At the same time, increasing consumer awareness around data protection and growing digital footprints contribute to a regulatory environment focused on robust protection protocols.

Evolving regulations have profound implications for insurers. Beyond avoiding fines, these regulations shape how products are developed, and claims are managed and offer an opportunity to gain a competitive advantage by leveraging the strategic value of proper data governance.

The European Regulatory Climate and Impact on the Insurance Industry

In the EU, the insurance industry operates within a complex web of data privacy regulation. To date, the General Data Protection Regulation (GDPR) has been its flagship. Enacted in May 2018, it has pioneered data protection and privacy rights across the EU and globally, substantially affecting insurance practices and policies. However, new regulatory layers continue to emerge (Data Act, AI Act, NIS2 Directive, DORA) and add to already existing legislations applying to European P&C insurance carriers (Solvency 2, Delegated Regulations, EIOPA Guidelines, etc.).

Data Act

The Regulation on harmonised rules on fair access to and use of data - also known as Data Act- is a law designed to enhance the EU’s data economy and foster a competitive data market by making data (in particular industrial data) more accessible and usable, encouraging data-driven innovation and increasing data availability.

While the scope of the GDPR is limited to personal data, the Data Act applies to both personal data and non-personal data, which means that its scope of application is clearly broader. It means that whenever we talk about personal data, both GDPR and Data Act apply jointly.

The EU Data Act provides important regulations in the B2C, B2B and B2G sectors that affect the transfer of data between companies, consumers and, in certain cases, government authorities. The Data Act gives users of connected products greater control over the data they generate. In addition, it lays down general conditions for situations where a business has a legal obligation to share data with another business.

With the EU Data Act, unfair contract terms are now expressly prohibited also in the B2B sector. A term is considered unfair if it deviates significantly from “good business practice” and is “contrary to good faith and fair dealing.” Examples include the limitation of liability, the exclusion of legal remedies or the granting of unilateral rights.

The Data Act entered into force on 11 January 2024, and it will become applicable in September 2025. Guidewire closely monitors its development.

NIS2

The NIS2 Directive is EU-wide legislation on cybersecurity. It augments the guidelines of its predecessor and is designed to improve the collective resilience of critical infrastructure, including financial infrastructure, against cyber threats. The directive was approved in 2022, and its deadline for transposition into law in member states is October 17, 2024.

NIS2's purpose is to mitigate risks by shaping organizations' posture against cyber-attacks. The regulations expand the scope of their predecessor and require robust security measures to protect sensitive customer data from cyber threats.

DORA takes precedence over NIS2 for the financial sector.

Digital Operational Resilience Act (DORA)

DORA is an EU legislative risk management framework that aims to ensure the digital operational resilience of the financial sector for all the financial entities, including insurance companies. DORA focuses on important areas of risk, including protection, detection, containment, recovery, and repair capabilities against ICT incidents. DORA will come into effect in January 2025.

There is no doubt that the content of DORA is made of many moving parts. The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published recently the first set of final draft technical standards under the DORA aimed at enhancing the digital operational resilience of the EU financial sector by strengthening financial entities’ Information and Communication Technology (ICT), third-party risk management and incident reporting frameworks. Guidewire is currently closely analyzing these drafts.

We are expecting ESA to release a second set of final drafts on 17 July 2024. This batch will also include a draft on subcontracting of critical or important functions which may be applicable to SaaS contracts.

Guidewire is closely monitoring DORA’s latest developments.

How to Balance Compliance with Innovation

With GDPR, Guidewire has provided solutions that empower insurance companies to address their customer data protection compliance requirements and their handling of personal data. With a close eye on regulatory requirements, we continue to innovate across our products and accelerators to enable our customers to maintain compliance with EU-wide regulations applicable to them.

The EU regulations may be seen as an opportunity for insurers to promote and build trust with their communities. By following and promoting adherence to existing and emerging privacy, security and risk management regulations, insurers’ own customers are reassured that innovative new capabilities and services are balanced with stewardship of their data privacy.

Guidewire's network of partnerships is broad and includes our hosting provider Amazon Web Services (AWS). Like Guidewire, AWS is assisting customers in supporting innovation, resilience, and security. Guidewire is following regulatory developments closely, and together with AWS, we welcome such initiatives. We expect to be in a position to enable customers to meet the requirements of DORA and other EU regulations.

Learn more at the upcoming Marketplace Summit Events

The EU's commitment to data privacy and cybersecurity through regulations like GDPR, DORA, and the Data Act requires a private and secure data landscape for insurance entities. While these regulations can seem daunting, they also present an opportunity for innovation and differentiation that can propel the P&C insurance industry forward while improving overall data security.

Join us on 28 May in Paris, France, or 30 May in Milan, Italy for a morning of thought-provoking discussion with experts about balancing business imperatives, technology innovation, and regulatory compliance in the property and casualty insurance industry. In the afternoon, stay for an exclusive reception at the Palais Garnier, Paris and the AWS offices in Milan.

Register Today