With Letter to the Market no. 31644 dated 14.02.2025, IVASS communicates the operational procedures by which
- insurers and reinsurers with registered offices in Italy;
- insurers with registered offices in a third country (outside the EEA) with a branch in Italy;
- insurance, reinsurance and ancillary intermediaries (excluding SMEs, i.e. intermediaries with (i) fewer than 250 employees and (ii) annual turnover of less than EUR 50 million or (iii) a balance sheet total of less than EUR 43 million);
will have to send, in accordance with EU Regulation 2022/2554 (i.e., the “Digital Operational Resilience Act” or “DORA”), applicable from 17.01.2025, to IVASS the reports relating to:
- to major cyber incidents
(i.e., incidents related to Information and Communication Technologies (ICT) that have a high adverse impact on the network and information systems that support critical or important functions of the financial entity); and - on a voluntary basis, to significant cyber threats relevant to the financial system, service users or customers
(i.e., cyber threats whose the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident);
as provided for and defined in the Dora Regulation, and governed by Commission Delegated Regulation EU 2024/1772 and the related Delegated Acts (RTS and ITS) (the “Delegated Acts”).
In particular, the Delegated Acts have established the following deadlines for the completion of the three phases required for notification to IVASS (in this case, the competent Authorities of reference):
- an initial notification, within 24 hours of the identification of the incident;
- an interim report, within 72 hours of the initial notification, with the possibility of sending subsequent updates;
- a final report, within one month of sending the last update of the interim report.
The content of the notifications is increasingly detailed and is specified in the Delegated Acts themselves.
Finally, IVASS provides a template to be filled in according to the procedures set out in the Delegated Acts and the certified email addresses (PEC) to which, within the above deadlines, insurers and intermediaries subject to DORA must send reports of major cyber incidents and significant cyber threats; in particular:
- vigilanza.prudenziale@pec.ivass.it for insurers; and
- vigilanzacondottamercato@pec.ivass.it for insurance, reinsurance and ancillary insurance intermediaries.
The Letter to the Market is available – for the time being – only in Italian at the following link: https://www.ivass.it/normativa/nazionale/secondaria-ivass/lettere/2025/lm-14-02-2025/Lettera_al_mercato_14_02_2025.pdf
