IT infrastructure
Regulatory framework
- Solvency II Law: Article 42, § 1, 7° (security) and 9° (continuity)
- Delegated Regulation 2015/35: Article 258(1)(i) (records of business), (j) (IT security) and (3) (continuity)
- Underlying thematic NBB Circulars:
- circular NBB_2020_18 of 5 May 2020 on the recommendations of the Bank on outsourcing to cloud service providers,
- circular NBB_2009_17 of 7 April 2009 on IT security,
- Communication NBB_2012_11 of 9 October 2012 on cloud computing and
- Circular NBB_2015_32 on IT continuity
- Circular NBB_2020_XXX on the recommendations of the Bank in relation to cloud outsourcing
- EIOPA Guidelines: /
The Solvency II Law and Delegated Regulation 2015/35 leave the existing regulatory framework for IT infrastructure unchanged. As a result, the regulatory requirements in the area of IT security, business continuity and cloud computing are explained below in broad terms. The Circulars below can be referred to for more information.
10.1. IT security (Including Cybersecurity)
Insurance companies must have an IT system that functions properly (which can keep records of business) and appropriate control and security measures in the area of IT. Alongside areas such as outsourcing and business continuity, which are explained elsewhere in this Circular, this also applies to insurance services offered via the internet. See Circular NBB_2009_17 on IT security and Circular NBB_2015_32 on continuity. (the Bank recommends that all significant companies and groups comply with the latter Circular, which was originally aimed at systemically important companies).
Furthermore, the Bank stresses the importance of cybersecurity. Thus, it expects that insurance companies hence adopt the necessary measures to manage cyber risks in the context of their aforementioned IT security system. These measures should be reviewed and updated regularly in order to incorporate the latest techniques and best practices.
10.2. Cloud computing
The insurance company determines whether an arrangement entered into with a cloud service provider falls under the definition of outsourcing according to the Solvency II Law. If so, in addition to the general outsourcing requirements included in Chapter 7 of this Circular, the company should also comply with the specific recommendations for cloud outsourcing specified in Communication NBB_2012_11 and, from 1 January 2021, those set out in Circular NBB_2020_018 .