In an increasingly digitized world, cyber threats are no longer distant risks—they’re immediate concerns. For insurance and reinsurance companies, the stakes have just been raised. The Italian Insurance Supervisory Authority (IVASS) has issued new instructions detailing how entities under its supervision must comply with the Digital Operational Resilience Act (DORA), which becomes fully applicable as of January 17, 2025.
Cyber Incidents: Mandatory Reporting Framework
With the Market Letter of February 14, 2025, IVASS clarified how insurance and reinsurance undertakings and intermediaries must report serious ICT-related incidents and, on a voluntary basis, relevant cyber threats. These obligations stem from Article 19(2) of DORA, and apply to incidents that impact critical services and meet certain thresholds—such as unauthorized access resulting in data loss, or if two or more criteria set out in Delegated Regulation (EU) 2024/1772 are triggered.
The reporting timeline is strict:
- Initial report: within 24 hours of identifying the incident
- Interim report: within 72 hours
- Final report: within one month of the last update
IVASS has provided standardized templates for reporting, to be submitted via PEC:
- Insurance undertakings: vigilanza.prudenziale@pec.ivass.it
- Intermediaries: vigilanzacondottamercato@pec.ivass.it
The Information Register: New Compliance Duty by April 11, 2025
Another major requirement comes from Article 28(3) of DORA. Companies must maintain a Register of Information detailing all ICT-related service contracts with third-party providers. This allows both national authorities and EU supervisors to assess risks posed by outsourcing arrangements.
IVASS’s Market Letter of March 7, 2025 specifies that this register must be transmitted using the Infostat platform, with submission due by April 11, 2025, based on data as of March 31, 2025. The report must follow a defined format, with compressed archive naming conventions and folders containing required metadata and reports.
To use Infostat, entities must first be authorized. Those not yet registered must submit credentials via PEC to: ivass@pec.ivass.it.