IT infrastructure

Regulatory framework

  1. Solvency II Law: Article 42, § 1, 7° (security) and 9° (continuity)
  2. Delegated Regulation 2015/35: Article 258(1)(i) (records of business), (j) (IT security) and (3) (continuity)
  3. Underlying thematic NBB Circulars: ​
  4. EIOPA Guidelines: /

The Solvency II Law and Delegated Regulation 2015/35 leave the existing regulatory framework for IT infrastructure unchanged.  As a result, the regulatory requirements in the area of IT security, business continuity and cloud computing are explained below in broad terms.  The Circulars below can be referred to for more information.

10.1. IT security (Including Cybersecurity)

Insurance companies must have an IT system that functions properly (which can keep records of business) and appropriate control and security measures in the area of IT. Alongside areas such as outsourcing and business continuity, which are explained elsewhere in this Circular, this also applies to insurance services offered via the internet. See Circular NBB_2009_17 on IT security and Circular NBB_2015_32 on continuity. (the Bank recommends that all significant companies and groups comply with the latter Circular, which was originally aimed at systemically important companies).

Furthermore, the Bank stresses the importance of cybersecurity. Thus, it expects that insurance companies hence adopt the necessary measures to manage cyber risks in the context of their aforementioned IT security system. These measures should be reviewed and updated regularly in order to incorporate the latest techniques and best practices.

10.2. Cloud computing

The insurance company determines whether an arrangement entered into with a cloud service provider falls under the definition of outsourcing according to the Solvency II Law. If so, in addition to the general outsourcing requirements included in Chapter 7 of this Circular, the company should also comply with the specific recommendations for cloud outsourcing specified in Communication NBB_2012_11 and, from 1 January 2021, those set out in Circular NBB_2020_018 .