What is DORA (The Digital Operational Resilience Act)?

The Digital Operational Resilience Act (DORA) is an EU regulation
The Digital Operational Resilience Act (DORA) is an EU regulation
Read on for a comprehensive definition of DORA and its impact on insurance and insurance technology sectors

The Digital Operational Resilience Act (DORA) will significantly impact both traditional insurance companies and insurtech firms by introducing stringent requirements for digital operational resilience. Here are the main ways DORA will affect these sectors:

Impact on Insurance Companies

Enhanced ICT Risk Management: Insurance companies will need to implement comprehensive ICT risk management frameworks to identify, protect, and mitigate risks. This involves continuous risk assessments, documenting dependencies between systems, and developing robust cybersecurity policies​​.

Incident Reporting: Insurers must establish systems to classify and report ICT-related incidents to regulatory authorities. They are required to provide initial notifications, progress updates, and final reports for significant incidents, ensuring thorough documentation and analysis of root causes​.

Operational Resilience Testing: Regular testing of ICT systems is mandatory, including annual vulnerability assessments and threat-led penetration testing (TLPT) every three years for larger firms. These tests help evaluate and improve the effectiveness of cybersecurity defenses and response plans​​.

Third-Party Risk Management: Insurers must manage risks associated with third-party ICT service providers, conducting thorough assessments and maintaining a register of all contracts. This ensures that critical third-party providers comply with DORA’s resilience standards​​.

Impact on Insurtech Firms

Compliance with High Standards: Insurtech firms must demonstrate that they meet DORA’s stringent requirements, which can provide a competitive edge. This involves adopting advanced ICT risk management practices and ensuring robust incident response capabilities​.

Opportunities for Innovation: DORA creates opportunities for insurtechs to offer solutions that help traditional insurers meet regulatory requirements. This includes developing technologies for risk management, incident reporting, and resilience testing​.

Information Sharing: While not mandatory, DORA encourages information sharing about cyber threats among financial entities. This can benefit insurtechs by fostering collaboration and enhancing collective cybersecurity defenses​​.

Regulatory Oversight: Insurtechs providing critical ICT services will be subject to direct oversight by designated regulators. This includes potential penalties for non-compliance, which underscores the importance of maintaining high security standards​.

Practical Steps for Preparation

Insurance and insurtech firms should begin preparing for DORA by conducting gap analyses of their current ICT systems and processes. Developing comprehensive risk management frameworks, establishing incident reporting mechanisms, and engaging in regular resilience testing are crucial steps. Additionally, firms should ensure that they have robust third-party risk management practices in place to comply with DORA’s requirements by the January 2025 deadline​​.

By adhering to these requirements, both traditional insurers and insurtech firms can enhance their digital operational resilience, ensuring they can withstand and recover from ICT-related disruptions effectively.


Andy Schneider, Field CISO EMEA at Lacework, says: “DORA focuses on the financial sector and will come into effect on January 17, 2025. It applies to financial entities (including brokerages, insurance, credit institutions, investment managers, crowdfunding providers, crypto entities, and more) doing business in or with the EU. It also applies to information and communication technology (ICT) third-party service providers deemed critical by European regulators. 

"DORA aims to improve the digital safety of the financial sector by setting up a system for managing risks and reporting incidents, and establishing testing requirements. Like NIS2, it holds management more responsible for cybersecurity, focuses on securing the supply chain, and encourages the use of modern detection technologies to surface unusual behaviour. It also emphasises the importance of governance and the role of senior management in overseeing cybersecurity efforts.

"It introduces corporate fines for non-compliance of up to 2% of annual turnover and personal fines for employees of up to €1 million, with critical third parties also subject to fines of up to €500,000.

"The foundation of NIS2 and DORA is strong risk management. Organisations must implement comprehensive cyber risk management processes, including risk analysis, risk detection, risk response, vulnerability management, and employee training. Business continuity and digital resilience are key themes, requiring organisations to have plans in place to maintain operations during disruptions.

Within DORA, there’s a shift happening to focus more on detection rather than just compliance-oriented security. Detection is crucial to identify if an intrusion or breach is happening, and if those happen, there are strict reporting requirements. Without detection, there’s no way to report anything.” 


Make sure you check out the latest industry news and insights at InsurTech Digital and also sign up to our global conference series - FinTech LIVE 2024


InsurTech Digital is a BizClik brand 



Featured Articles

IMG and Teladoc Expand Telehealth Services for Travellers

IMG and Teladoc Health expand partnership to enhance telehealth services for travellers, offering round-the-clock access to medical professionals worldwide

UHG CEO Witty Admits Hack hit Third of US Citizens' Data

US congressional hearing learns from UnitedHealth Group CEO Andrew Witty that Change Healthcare cyberattack compromised data of third of the US population

Allianz Announces Partnership With Clearspeed

Emerging scams like moped fraud and shallow fakes pose new challenges to insurers, so more sophisticated detection systems are crucial

Milliman Arius: Reserve Analysis with an End-to-End Solution


Allstate: BCG Partner Harnesses Gen AI to Transform CX

Technology & AI

Comarch Diagnostic Point: Next Gen European Health Insurance