DORA in insurance: A guide and action plan for 2025

The Digital Operational Resilience Act (DORA) is a regulation introduced by the EU to ensure that financial institutions (FSIs) in Europe operate within a robust digital framework. This regulation takes a proactive approach to preventing disruptions or failures originating from Information and Communication Technology (ICT) vendors.

As many processes within FSIs have become digital, the cost of system disruptions or IT outages has become too high to ignore. Therefore, agility in responding to disruptions is a core focus of DORA — it’s not just about preventing downtime, but also about how quickly an FSI can recover and maintain operations. 

“DORA ensures that ICT providers delivering services to FSIs are held adequately accountable for maintaining strong internal governance," said Olaf Jonkers, Chief Internal Security Officer at itsme^® digital identity platform. "This is very important because FSIs’ growing reliance on ICT providers means that a system crash or breach can suddenly reduce operations to a small fraction.”  

Below, we answer FAQs about DORA with a focus on the insurance industry: 

As of 2025, all financial services industries are expected to comply with DORA. However, among all FSIs, the insurance sector may be the least prepared for this regulation.

One of the main challenges is the insurance industry's heavy reliance on brokers and intermediaries, who often have diverse approaches to internal operations. Many of these entities still follow traditional, less digitally-native methods of working, which can complicate efforts to achieve DORA compliance.

"While regulations are nothing new for insurance companies, insurance intermediaries and brokers are typically subject to less regulation, which rarely comes directly from the regulator," said Jorgen Fleussu, Legal Officer at itsme^®. 

“Implementing the full ICT risk framework and the cybersecurity aspects linked to DORA will be a significant challenge, particularly for smaller players, as they may lack experience with auditing ICT suppliers, developing risk assessment frameworks and documenting the outcomes in catalogues.” 

Another challenge facing insurers and other FSIs is the uncertainty around the scope of DORA's obligations (e.g., is accounting software also required to be DORA-compliant?). Additionally, insurers need to renegotiate and adapt agreements with all relevant ICT providers to meet DORA’s digital resilience requirements for all associated risks, which is a quite time-consuming process.

Learn how itsme^® digital identity solution can help insurance companies

FSIs had over two years to prepare for DORA, and the deadline for compliance was January 2025. However, almost every financial institution is still facing challenges that prevent it from achieving compliance. 

"It will still be some time before all insurance companies and intermediaries are compliant, but regulators will consider the efforts made to comply when evaluating FSIs," explained Jorgen. "For instance, FSIs with a realistic gap analysis coupled with an actionable plan to achieve compliance will be in a better position compared to FSIs that claim full compliance when it is not actually the case."

Later in the blog, we share a remedy plan for insurers and brokers still working on becoming DORA compliant. 

DORA will help the insurance industry become more resilient and reliable, acting fundamentally as a catalyst to propel the digital transformation of insurers and other FSIs.  

By enforcing a comprehensive ICT risk framework, insurers can better manage digital threats, reduce vulnerabilities, and strengthen data protection and cybersecurity. Achieving this is especially important for insurers, as only 1 in 4 people surveyed in 2024 said that they trusted sharing their personal data with insurance companies. 

Additionally, DORA contributes to streamlining governance and enhancing supply chain management for insurers, significantly improving operational efficiency and mitigate risks. This creates a competitive advantage for insurers, increasing client confidence in their reliability and stability as trusted partners in society. 

Learn more about digital identity solution itsme^®

The first step for insurance companies to become compliant with DORA is to conduct a thorough risk assessment and gap analysis of their existing internal compliance processes and policies, such as those related to vulnerability scanning, HR policies, and security baselining. They might find it necessary to adapt these policies and build upon their current frameworks to improve processes and ensure full compliance across the organization. 

Secondly, insurers must map their ICT providers across the entire supply chain (e.g., cloud services, digital services for risk calculation, etc.). It’s crucial for insurers to understand the status of each of their suppliers, including whether they support important or critical functions. Insurers need to motivate and formalize what they consider to be critical, distinguishing between critical and supporting ICT suppliers based on individual risk assessment and classification.

"Assessing whether an ICT provider supports essential functions for the business requires creating a standardized catalogue that includes contract details and a description of each entity," explained Olaf. "The format of doing this is very specific and detailed to allow a fully standardized and automated reporting from individual insurance companies - from the national supervisory authorities up to the European level."

Insurers need to fill in their register of information (“ROI”) to report it to the competent authority by April, or they will risk facing penalties.

Thirdly, insurers need to adapt their suppliers' contract to ensure that they contain the necessary provisions to manage all risks linked to ICT service providers. Insurers need to guarantee that their suppliers are not only knowledgeable about DORA but also about industry-specific regulations (e.g., AML, KYC, and insurance-specific frameworks) to ensure full compliance and risk management.  

“A way to approach this is to develop a model to evaluate impact and probability of business disruptions and related risks, such as unavailability,  distributed denial-of-service (DDOS), and data breaches,” explained Olaf. “This means auditing suppliers, asking them for evidence of effective implementation, and validating them up to technically test their safeguards. The culmination of all of this would be the Threat-led Pen Testing (TLPT ) that should be done at least each 3 years.”  

By validating the implementation of a proper governance around information security and operational resilience, these steps are the beginning of the continued validation of suppliers’ adherence of what was contractually provided.

itsme^® is an identity-as-a-service provider that covers all applications related to client verification and authentication across 16 European countries, offering the highest levels of security and assurance. We also provide secure digital signing and data sharing solutions. 

“From day one, insurance companies can rely on itsme^® for a high-quality service integrated into the European identity framework, enabling them to offer secure online services to their customers,” added Olaf.  

itsme^® is fully DORA-compliant, with all necessary security measures necessary for financial institutions that are supervised by national and European authorities. Our app meets all due diligence obligations specific to financial institutions under our highly resilient and reliable service, such as continued security monitoring and no breaches of availability. 

Learn more about itsme^®