Risk Partners Life Sciences Roundtable 2024, thank you very much! Sign up now for the 26.06.2025 >

Contact us

DORA regulation will apply from January 2025.
Significance for our private equity and venture capital clients

The somewhat unwieldy name "Digital Operational Resilience Act" ( DORA for short) has a very serious background and is to be welcomed in principle. After all, when we evaluate our claims in the context of cybercrime, PE and VC funds and their KVGs are those with the highest frequency of claims. It can be safely assumed that theyhave been identified as a "worthwhile target group" for cyber criminals based abroad and are now being systematically "processed". We are seeing an increase in redirected capital calls, payout distributions or redirected investments, some of which involve elaborate strategies on the part of the attackers. It is therefore one of our strategic focus topics for 2024/2025, particularly in terms of raising awareness.

About the DORA Regulation: with this regulation, the European Commission aims to harmonize ICT (Information and Communications Directive) resilience measures across Europe and improve cybersecurity in the financial sector. A special cut-off date is January 17, 2025, when the regulation will come into force (two years after its entry into force). 

The regulation emphasizes that the company management - i.e. the executive board ("GPs") - is responsible for managing ICT risks. And that's not all: they must also define and approve the strategy for digital operational resilience and plan an appropriate budget for it. The necessary know-how must be kept up to date at all times. In addition, companies in the financial sector must set up an ICT risk control function. It contains elements of the information security officer already prescribed in the IT requirements, but is not congruent with them.

Who is affected by the DORA Regulation?

The DORA regulation affects us as risk partners (insurance brokers) on the one hand and fully regulated KVGs on the other. Registered AIF KVGs are exempt from this. It can also be assumed that the exemption also applies to EuVECA managers, as these are typically treated in the same way as registered AIF KVGs.

Fully regulated KVGs and those in the process of full regulation should ensure that they are DORA-compliant.

Note: For BPs, a breach of the DORA Regulation constitutes a compliance breach, which is also to be regarded as organizational fault. In case law, this quickly leads to (unlimited) personal liability for GPs.

The DORA Regulation is based on the existing regulatory requirements and incorporates many regulations that the companies concerned are already familiar with from the sectoral IT requirements. It harmonizes these requirements, but is more detailed in its structure and significantly reduces the previous scope for discretion. The new regulatory requirements can be divided into five main areas (based on the colleagues from POELLATH):

ICT-Risk management and ICT-governance:

The DORA regulation stipulates that responsibility for risk management lies directly with the management. ICT risks must be integrated into the company-wide risk management system. While this requirement was already included in previous regulatory requirements, it is now legally binding under the DORA Regulation.

In the area of ICT governance, i.e. the organizational and legal framework conditions for IT structures, the regulation requires ICT to be integrated into the corporate strategy. In addition, the DORA regulation prescribes regular updates and control mechanisms for IT systems. 

According to the presentation by Dr. Fechler from 26.09.2024

In addition, data backup and recovery strategies must be developed to minimize the impact of potential system failures.

Obligation to report ICT-related incidents:

In accordance with the DORA Regulation, BaFin will act as the central national reporting hub for ICT incidents in the financial sector. An "ICT-related incident" is defined as an unplanned event that affects the security of networks or information systems and may have a negative impact on the availability, integrity, authenticity or confidentiality of data and the services of a financial undertaking (Art. 3 para. 1 no. 8 DORA).

The DORA regulation requires companies to set up protection mechanisms and early warning systems to detect cyber attacks in good time and prevent ICT incidents. All ICT-related incidents must be logged. In addition, a procedure for classifying these incidents will be introduced, with serious incidents being subject to mandatory reporting.

Testing digital operational resilience:

DORA obliges fully regulated KVGs to regularly check their ICT security. The regulation provides for various suitable tests to check the software code, network security and the compatibility of hardware and software. The aim of these tests is to uncover and eliminate weaknesses in the company's own digital operational resilience.

ICT third party management / outsourcing:

As more and more ICT services are being outsourced to technology service providers, companies must also identify third-party risks as part of their risk management. This task is likely to cause considerable effort in the German PE/VC landscape in particular due to the need for adjustments. BaFin also receives notifications in connection with ICT third-party management and examines them for potential risks to the financial sector. DORA sets out key contractual provisions as well as certain monitoring and termination rights for outsourcing agreements. The term ICT service is defined broadly in the regulation and includes - with the exception of analog telephone services - all digital and data services that are made available to users via systems. 

Monitoring of critical ICT third-party service providers:

DORA establishes a framework for the supervision of critical ICT technology providers that already existed in Germany in outline form. BaFin's powers have been significantly expanded and include, among other things, the requesting of documents, the imposition of fines and on-site inspections. BaFin is responsible for classifying an ICT service provider as critical and for the associated monitoring. The service providers classified as critical must bear the costs of this monitoring themselves. The typical KVG should not be affected by this. 

With regard to possible risk transfer options, there is unfortunately no specific DORA insurance. However, the good news is that our clients' existing holistic insurance concepts - usually a triad of E&O insurance, cyber insurance and crime insurance - effectively cover the risks for KVGs.

GPs, on the other hand, can rely on their existing criminal law protection and D&O insurance. In addition to the need to keep the respective conditions up to date in a "DORA era", PE/VC AIFMs should critically review their sums insured. This is because both the probability of occurrence and the potential amount of claims are likely to increase in the future.

We will be happy to keep you up to date on trends in the insurance market in our blog. Arrange a non-binding exchange with us: Book your preferred date!

Also read our other blog posts

Life Sciences

Finance Day 2024

Growth capital for biotechnology and life sciences - Finance Day 2024 A few days ago, Jutta and Florian from our team attended Finance Day 2024 at the analytica trade fair in Munich. The event once again offered exciting expert panels on current financing and capital market issues for life sciences companies. As the panels focused on three of our key consulting areas, namely life sciences, venture capital and IPOs, attending was of course a must for us as a specialist insurance broker. Our team was also very pleased to meet many of our partners and clients again.

Read more "
April 19, 2024
Risk Partners

13th Hamburg Financial Lines Forum

Risk Partners at the Financial Lines Forum 13th Hamburg Financial Lines Forum. On October 12 and 13, 2023, the 13th Hamburg Financial Lines Forum took place with the participation of Risk Partners, a traditional event that once again served as a platform for the exchange of current trends. The program began with an overview of current developments and the handling of claims in financial lines, presented by Gabriele Schreiber-Sahin and Michael Hendricks. Dr. Oliver Sieg then shed light on directors' and officers' liability and the

Read more "
October 28, 2023
Life Sciences

St. Gallen study: USD 6 billion per drug

HSG St. Gallen: Drug costs USD 6.16 billion on average. Are the days of new drugs costing less than USD 1 billion over? There were figures in the industry that spoke of USD 700-1,000 million as the cost of developing a new drug. A study by the University of St. Gallen covering the period 2001-2020 found that the cost of developing new drugs has risen dramatically. It was estimated that the cost of developing a new drug now stands at

Read more "
September 26, 2023
Being Public

Global Integrity and Compliance Forum 2024 

๐—š๐—น๐—ผ๐—ฏ๐—ฎ๐—น ๐—œ๐—ป๐˜๐—ฒ๐—ด๐—ฟ๐—ถ๐˜๐˜† ๐—ฎ๐—ป๐—ฑ ๐—–๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ ๐—™๐—ผ๐—ฟ๐˜‚๐—บ ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฎ๐Ÿฐ "D&O and Co. - Plan B to cover personal liability!" Last Friday, Florian had the honor of taking part in the Global Integrity and Compliance Forum at the Ludwig-Maximilians-Universitรคt in Munich. Under the motto "The RULE of LAW in the Era of Integrity & Compliance", international legal experts, company managers, in-house councils and compliance officers from all over the world gathered to discuss the future of good corporate governance in 2024. Key discussions and insights One of the

Read more "
June 14, 2024
Being Public

Revolution in D&O insurance in Nevada (US insurance market) postponed

The revolution in D&O insurance in Nevada has been called off after all. In the US market, the state of Nevada passed an interesting law (Bill No. 398) in the summer with potentially significant implications for the D&O insurance market. The Governor of Nevada approved the bill on June 3, 2023, so the law came into force on October 1, 2023. We had classified this legislation (in the USA, insurance supervision is organized at state level) as too watchful for our clients, but this law

Read more "
December 9, 2023
Being Public

"I believe in a strong IPO comeback in 2024" - Interview Platform Life Sciences

Risk Partners in the trade press. Florian was approached by the journalists from Plattform Life Sciences for an interview on our view of 2024 and the development of Risk Partners over the past year. In addition to challenging claims, product innovations (e.g. all about POSI insurance) from Risk Partners, Florian also discusses our motives for the "team up" with the fantastic colleagues from Atrialis GmbH - experts in clinical trials. Click here for Florian's interview. Read the interview

Read more "
January 11, 2024