Insurance Under DORA
DORA (Regulation EU 2022/2554) applies to insurance undertakings and reinsurance undertakings authorised under the Solvency II framework (Directive 2009/138/EC). Insurance intermediaries that meet certain thresholds related to size and the nature of their activities are also in scope. The regulation has been directly applicable across all EU member states since 17 January 2025.
For the insurance sector, the European Insurance and Occupational Pensions Authority (EIOPA) is the relevant European Supervisory Authority. EIOPA contributes to the development of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) under DORA and coordinates supervisory convergence across national insurance regulators. Day-to-day supervision is carried out by national competent authorities (NCAs), but EIOPA's guidance shapes how those authorities interpret and enforce the regulation for insurers.
The scope is broad. Life insurers, non-life insurers, composite undertakings, reinsurers, captive insurance entities, and insurance holding companies with ICT-dependent operations all fall under DORA. The only meaningful exclusions are very small insurance intermediaries that do not meet the size thresholds set out in the regulation. If your firm holds an insurance or reinsurance authorisation in an EU member state, DORA applies to you.
Key DORA Requirements for Insurance
DORA is organised around five pillars. Each applies to insurance undertakings, though the depth of obligation varies depending on the insurer's size, nature, scale, and complexity of operations. Here is what each pillar means for insurers in practice.
ICT Risk Management (Art. 5-16)
Insurers must establish and maintain a comprehensive ICT risk management framework. This covers asset identification, risk assessment, protection measures, detection capabilities, and business continuity planning. The management body is directly responsible for approving the framework and ensuring adequate resources. For insurers, this often means extending existing Solvency II ORSA processes to incorporate ICT-specific risk identification and treatment.
Incident Management and Reporting (Art. 17-23)
Insurance undertakings must classify, manage, and report major ICT-related incidents. The reporting timeline is strict: initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. For insurers handling sensitive policyholder data, this also intersects with GDPR breach notification obligations. Incidents affecting claims processing, underwriting platforms, or policyholder portals can all trigger DORA reporting.
Digital Operational Resilience Testing (Art. 24-27)
All insurers must conduct proportionate resilience testing, including vulnerability assessments, network security reviews, and scenario-based testing. Only insurers designated as systemically important by their competent authority are required to perform Threat-Led Penetration Testing (TLPT) every three years. Most small and mid-sized insurers will not face TLPT obligations, but must still maintain a robust testing programme proportionate to their risk profile.
Third-Party ICT Risk Management (Art. 28-44)
Insurers must maintain a Register of Information documenting all ICT third-party arrangements. Contracts with critical providers must include mandatory clauses covering audit rights, service levels, exit strategies, and data location. Insurance companies that rely heavily on cloud-based policy administration systems, claims platforms, or actuarial tools need to map these dependencies carefully. See our third-party risk management guide for details.
Information Sharing (Art. 45)
Insurers may participate in voluntary information-sharing arrangements with other financial entities to exchange cyber threat intelligence. EIOPA encourages insurance firms to engage in sector-specific sharing initiatives, as the insurance industry faces distinctive threats related to policyholder data, large-value claims fraud, and actuarial model integrity.
How Insurance Differs from Banking Under DORA
While DORA applies the same five-pillar structure to both insurance and banking, the practical implications differ in several important ways due to the distinct risk profiles and supervisory arrangements of each sector.
Different risk profiles. Insurance operates on longer time horizons than banking. Claims settlement, policy lifecycles, and reserve calculations unfold over months or years rather than in real time. This means that while ICT disruptions in insurance are serious, they are less likely to trigger immediate systemic contagion than a disruption at a major bank or payment processor. Supervisors are expected to account for this when applying proportionality.
EIOPA vs EBA/ECB oversight. Banks fall under EBA and, for significant institutions, direct ECB supervision. Insurers fall under EIOPA coordination and national insurance supervisors. EIOPA's supervisory culture emphasises proportionality and outcomes-based assessment, which can mean a somewhat different supervisory tone compared to banking regulators. However, the core DORA requirements remain the same regardless of which ESA is involved.
TLPT likelihood. The designation of entities required to perform TLPT is based on systemic importance, size, and complexity. In practice, far fewer insurers than banks are likely to be designated for mandatory TLPT. Large pan-European insurance groups and reinsurers with significant market share are the most likely candidates. Most national and regional insurers will be required to perform standard resilience testing but not full TLPT exercises. For a broader comparison with banking requirements, see our DORA compliance guide.
Different proportionality thresholds. Insurance undertakings span a wider range of sizes than the banking sector, from large multinational groups to small mutual insurers and niche specialty firms. DORA's proportionality provisions are particularly relevant for the insurance sector, where many firms are small enough to qualify for the simplified ICT risk management framework under Art. 16.
Existing regulatory integration. Insurers already operate under Solvency II, which includes governance, risk management, and outsourcing requirements. Many DORA obligations can be addressed by extending existing Solvency II frameworks rather than building new structures. Banks face a similar situation with CRD/CRR and EBA guidelines, but the specific integration points differ.
Proportionality for Insurers
DORA applies on a proportional basis, taking into account the size, nature, scale, and complexity of an entity's services, activities, and operations. For the insurance sector, where firm sizes vary enormously, proportionality is one of the most important concepts in the regulation.
Simplified ICT risk management (Art. 16). Insurance undertakings that meet the criteria for simplified requirements can apply a lighter version of the ICT risk management framework. This does not exempt them from DORA, but it reduces the granularity and formality of what is required. Eligible firms still need an ICT risk management framework, incident reporting processes, and third-party oversight arrangements, but with less documentation burden and simpler governance structures.
Microenterprise exemptions. Microenterprises as defined under EU law (fewer than 10 employees, turnover or balance sheet under EUR 2 million) benefit from certain exemptions within DORA. Small insurance intermediaries that qualify as microenterprises may be exempt from some of the more detailed requirements, though they remain subject to the core principles of ICT risk management and incident reporting.
Proportionality in practice for insurers
A large pan-European insurance group writing billions in gross written premiums will need a comprehensive ICT risk management framework, full resilience testing including potential TLPT designation, a detailed Register of Information, and board-level reporting. A small regional mutual insurer may apply the simplified framework under Art. 16, conduct basic vulnerability assessments rather than advanced testing, and maintain a proportionately simpler third-party register. Both are compliant — the level of effort is calibrated to the risk each entity poses and faces.
How to determine your proportionality level. Your national competent authority will assess your proportionality classification based on factors including total assets, gross written premiums, number of policyholders, cross-border activity, ICT dependency, and interconnectedness with other financial entities. The DORA gap analysis tool can help you understand where your firm sits on the proportionality spectrum and what level of obligation applies to each pillar.
EIOPA Supervisory Expectations
EIOPA has been actively shaping how DORA applies to the insurance sector through guidance, consultation papers, and coordination with national supervisors. Understanding EIOPA's expectations helps insurers prioritise their compliance efforts.
Register of Information quality. EIOPA has emphasised that the Register of Information (RoI) is a central supervisory tool for understanding ICT concentration risk across the insurance sector. Insurers should expect scrutiny on the completeness and accuracy of their RoI submissions. This means going beyond a simple vendor list to documenting the criticality of each ICT arrangement, subcontracting chains, data processing locations, and business functions supported by each provider.
Cloud and outsourcing arrangements. The insurance sector has been a rapid adopter of cloud-based platforms for policy administration, claims management, and actuarial modelling. EIOPA expects insurers to demonstrate that cloud outsourcing arrangements comply with DORA's third-party requirements, including contractual protections, exit strategies, and concentration risk assessment. Firms that migrated to cloud platforms before DORA should review whether their existing contracts meet the new mandatory clause requirements.
Governance and board oversight. EIOPA expects the management body of insurance undertakings to be actively involved in ICT risk oversight, not merely to rubber-stamp frameworks prepared by IT departments. This aligns with DORA Art. 5, which requires the management body to define, approve, oversee, and be ultimately responsible for the ICT risk management framework. Board members should receive regular training on ICT risk topics and have sufficient expertise to challenge management reporting.
Cross-border coordination. For insurance groups operating across multiple EU member states, EIOPA coordinates supervisory expectations to ensure consistency. Group supervisors are expected to assess ICT risk management at the consolidated level and ensure that the group's DORA compliance programme covers all entities within the group structure. This is particularly relevant for groups where ICT services are provided centrally through shared service centres or a single cloud platform.
For detailed information on penalties and enforcement, see our DORA penalties guide.
Getting Started with DORA Compliance for Insurance
If your insurance firm has not yet begun its DORA compliance programme, or if you are looking to validate and strengthen your existing efforts, the following steps provide a practical starting point.
1. Assess your current state. Start with a structured gap analysis that measures your readiness across all five DORA pillars. The free DORA assessment takes approximately three minutes and gives you a score across ICT risk management, incident reporting, resilience testing, third-party oversight, and information sharing. This gives you a clear baseline and helps prioritise where to focus first.
2. Determine your proportionality level. Understand whether your firm qualifies for the simplified ICT risk management framework under Art. 16, and whether you are likely to be designated for TLPT. This affects the scope and complexity of your entire compliance programme and should be established early.
3. Build your Register of Information. The RoI is one of EIOPA's priority areas and is often the most time-consuming deliverable. Begin by inventorying all ICT third-party arrangements, classifying their criticality, and documenting contractual terms, subcontracting chains, and data locations. DORA GRC's third-party management module automates much of this process.
4. Integrate with Solvency II governance. Rather than creating parallel structures, extend your existing Solvency II governance framework to incorporate DORA requirements. Your ORSA process, risk committee structure, and board reporting cycle can all be adapted to include ICT risk topics. This is more efficient and produces better outcomes than treating DORA as a standalone project.
5. Review ICT provider contracts. Audit your existing contracts with critical ICT providers against DORA's mandatory clause requirements. Identify gaps in audit rights, termination provisions, exit strategies, and service level commitments. Begin renegotiation early, as contract amendments with large providers can take several months. For detailed guidance, see our third-party risk management guide.
6. Establish incident reporting processes. Ensure you have a clear process for detecting, classifying, and reporting major ICT-related incidents within DORA's timelines. Test this process with a tabletop exercise before you need it in a real incident. Coordinate with your NCA to understand their preferred reporting channels and templates.
Frequently Asked Questions
DORA applies to insurance undertakings and reinsurance undertakings authorised under Solvency II. It also covers insurance intermediaries that meet certain size or systemic-importance criteria. Very small insurance intermediaries that fall below the relevant thresholds may be excluded from some obligations, but the regulation applies broadly across the insurance sector. If your firm holds an insurance or reinsurance licence in an EU member state, DORA almost certainly applies to you.
Day-to-day DORA supervision is carried out by national competent authorities, typically the national insurance supervisor. EIOPA coordinates supervisory convergence across the EU, issues guidelines and technical standards, and participates in the oversight of critical ICT third-party providers that serve the insurance sector. EIOPA does not directly supervise individual insurance firms, but its guidance shapes how national authorities apply DORA requirements to insurers.
Only insurance undertakings designated by their competent authority as systemically important or meeting certain size and complexity thresholds are required to conduct Threat-Led Penetration Testing under Art. 26 of DORA. Most small and mid-sized insurers will not be required to perform TLPT, though all insurers must carry out proportionate digital operational resilience testing under Art. 24-25. Large pan-European insurance groups and major reinsurers are the most likely candidates for TLPT designation.
DORA and Solvency II are complementary. Solvency II governs capital adequacy, risk governance, and prudential reporting, while DORA adds specific requirements around ICT risk management, digital resilience testing, incident reporting, and third-party provider oversight. Insurers must comply with both. EIOPA has encouraged firms to integrate DORA into their existing Solvency II frameworks — extending ORSA processes, risk committees, and board reporting to cover ICT risk — rather than building parallel compliance structures.