.jpg)
What is DORA?
DORA is a European IT law that financial institutions must comply with as of January 2025. The purpose of this law is to make organizations more resilient to cyber threats. 'Long before the law came into force, we examined our role in relation to DORA and its impact on ANVA,' Jilles says. 'That's why I consult monthly with a lawyer who keeps me informed of all developments.'
Why this law?
'DORA was created to address the misalignment between the increasing IT threat and the development of resilience,' Jilles says. 'The financial sector is becoming increasingly dependent on software and IT infrastructure for its services, which increases its vulnerability to problems such as cyber-attacks.' Jilles adds, "DORA therefore focuses on improving risk management, incident management, testing and visibility into critical IT service providers. Ultimately, it's about protecting the customer's personal data. That's a big responsibility and that's where we help our customers.
What does DORA mean for ANVA?
'As a software provider, we are not directly subject to the supervision of DORA, because we are not a financial institution,' Jilles explains. 'But we are involved as a third-party provider of ICT services. DORA's regulators at the European level want to know where the concentration risks are, and with us it's clear: 70% of Dutch insurance proxies rely on ANVA's products and services for their daily operations. If something happens to ANVA, 70% can no longer operate. So securing continuity on ANVA is a serious responsibility for our customers and ourselves.'
'ANVA is already very DORA-proof: that's why we are now focusing mainly on contractual agreements'
What will change for customers?
Actually little, because ANVA is already DORA-proof, says Jilles. 'That is why we are now focusing mainly on contractual agreements, such as drawing up good exit arrangements. Our clients themselves have to make sure they make risk analyses and business continuity plans in the context of DORA, if they don't already have them. At the same time, we are going to report more things. For example, we are going to make sure that the Service Level Agreements state when we inform our customers in the event of a possible incident and how we handle the delivery of our cloud solutions.'
DORA is very comprehensive. Can you explain that?
'It is a comprehensive law,' Jilles explains. 'DORA includes many guidelines and requirements that financial institutions have to comply with. We have to go through each standard and analyze what it means for us. For example, what happens to the chain if one of our suppliers goes down? Do we have a contingency plan for that? Although DORA does not directly affect our business structure, it does have an indirect impact. It obliges us to think even more critically about risk management and to share our vision and precautions about it with our customers.'
What can customers expect with regard to DORA?
'From September 2024 we want to make our new agreements available to our customers,' says Jilles. 'These will then meet the current DORA requirements and we are also already sorting for ANVA's latest software, ANVA 6. Customers will then be free to replace their existing agreement with this new DORA-proof agreement. Commercial agreements remain unchanged in it. Jilles adds, "It is up to the customer to comply with the new rules on January 17, 2025. We support as best we can.'
