DORA for Insurance 2026: EIOPA Supervision & Solvency II Guide

Q: Which insurers must conduct Threat-Led Penetration Testing (TLPT)?

TLPT designation is risk-based per Article 26(8). For the insurance sector, this typically covers Internationally Active Insurance Groups (IAIGs), large life and non-life insurers above ~€20bn gross written premium, and pan-EU insurance groups with significant cross-border activity. Industry estimate: 40-60 insurance groups in scope across the EU, designated by EIOPA in coordination with national supervisors (BaFin, ACPR, IVASS, MFSA, etc.). Cycle: at least every 3 years.

Q: How should the Register of Information capture reinsurance technology providers?

Reinsurance platforms (e.g., centralised reinsurance contract management systems, ceded loss reporting tools, retrocession platforms) qualify as ICT third-party services under DORA Article 28. They must be in the register at the legal entity level, classified by criticality, with full Article 30 contract clauses. Group reinsurance treaties using shared technology platforms create complex sub-outsourcing chains that often surface only during the first register submission.

Q: What are the most common DORA findings for insurers in 2025?

Top supervisory findings observed across EIOPA-coordinated reviews: (1) ORSA does not yet integrate ICT risk under DORA terminology, (2) actuarial systems supporting Solvency Capital Requirement calculations have insufficient resilience controls, (3) reinsurance technology providers missing from Register of Information, (4) claims processing RTOs/RPOs not validated end-to-end, (5) board-level reporting still framed in Solvency II language without DORA-specific KRIs.

Building your DORA team? Insurers hire the DORA Compliance Officer first — a verifiable certification for exactly the profile supervisors and hiring teams look for. Browse all DORA certifications.

Why DORA Matters for Insurance Companies

The insurance sector is structurally different from banking when it comes to operational resilience, but the regulatory exposure is just as significant. Insurance carriers run long-tail data — life policies sold today create obligations 30-50 years out — on technology stacks that frequently combine 1980s mainframes (still alive in many insurers), 2000s policy administration systems, modern actuarial cloud workloads, and customer-facing digital channels built in the past five years. This patchwork creates an unusual operational risk surface: legacy data dependencies, complex integration layers, and digital interfaces all needing simultaneous resilience.

Beyond technology, insurers carry highly sensitive personal data: policyholder identities, beneficiaries, health information for life and health business, accident records, financial details, and behavioural data from telematics or smart-home sensors. A material data breach or processing outage in an insurer hits regulators (DORA + GDPR + national supervisors), customers (loss of trust, claims delays), and the broader market (reputational contagion).

DORA brings this entire risk surface under harmonised supervision. EIOPA, as one of the three European Supervisory Authorities, coordinates with national supervisors (BaFin, ACPR, IVASS, DNB, MFSA, FSC, etc.) to apply DORA across insurance entities. The framework explicitly recognises Solvency II as the prudential foundation but adds binding ICT-specific obligations that go beyond what Solvency II Pillar 2 alone delivers.

Strategic upside

Reduced operational risk capital under Solvency II SCR
Lower cyber insurance premiums for self-insurance
Higher customer trust and retention
Better data quality for actuarial work

Downside of inaction

SCR add-ons for unmitigated ICT operational risk
Public censure and Section 274 enforcement
Distribution restrictions on new products
Fit-and-proper sanctions on accountable execs

DORA Scope Across the Insurance Sector

DORA applies to a broad set of insurance-sector entities, with proportionality calibrating the depth of obligations. The five main scope categories:

Insurance & reinsurance undertakings

~3,200

Authorised under Solvency II (Directive 2009/138/EC). Full DORA scope unless qualifying as microenterprise (rare). Includes life, non-life, composite and pure reinsurers.

Insurance intermediaries

~80,000

Authorised under the IDD. Most professional brokerage firms in scope; microenterprises and small ancillary distributors excluded. Simplified ICT framework available for small/non-interconnected.

Institutions for Occupational Retirement Provision

~3,000

IORPs authorised under IORP II Directive. In scope of DORA with proportionality based on size, type of risk borne, complexity. Significant IORPs face full obligations.

Pan-European Personal Pension Product providers

growing

PEPP providers authorised under Regulation (EU) 2019/1238 are in DORA scope from inception, given the cross-border digital nature of the product.

Proportionality without exemption: Article 4 allows a simplified ICT risk framework for entities qualifying as microenterprises and as small / non-interconnected. The qualification thresholds are strict: small balance sheet, low premium volumes, no significant ICT third-party dependencies, no material cross-border activity. In practice, fewer than 10% of insurers and intermediaries qualify.

DORA & Solvency II: How They Interact

For insurers, the most important regulatory question after "what does DORA require" is "what changes versus what we already do under Solvency II?" The answer matters because Solvency II is the prudential pillar of EU insurance regulation; DORA is operational resilience built on top of it.

Where DORA goes beyond Solvency II

Specific ICT risk taxonomy: Solvency II treats operational risk including ICT in aggregate (SCR.OP module). DORA forces a granular ICT-specific risk taxonomy with eight asset categories and separate KRIs.
Mandatory incident reporting framework: Solvency II's operational risk reporting is essentially internal (ORSA) plus supervisory dialogue. DORA imposes harmonised mandatory reporting with 4h/72h/1m timelines.
Resilience testing programme: Solvency II requires testing capital adequacy through stress tests; DORA requires testing operational resilience through vulnerability scans, scenario tests, and TLPT.
Register of Information: A regulatory artefact with no Solvency II equivalent — single biggest data lift for most insurers.
Direct contractual rules: Article 30 mandatory clauses go beyond the EIOPA Outsourcing Guidelines, which were guidance.

Where DORA aligns with Solvency II

Three lines of defence (DORA Article 6 ↔ Solvency II Pillar 2 governance)
Board-level accountability (DORA Article 5 ↔ Solvency II Articles 41-44)
Risk management function (DORA ICT risk function ↔ Solvency II risk management function — coordination required)
Internal audit independence (DORA Article 6(6) ↔ Solvency II Article 47)

ORSA and DORA

The Own Risk and Solvency Assessment (ORSA) is the centrepiece of Solvency II Pillar 2. EIOPA expects insurers to integrate DORA-aligned ICT risk into ORSA from the 2025 cycle onwards. Practically this means: ICT risk scenarios in ORSA stress tests, ICT capital quantification methodology, ICT risk appetite alignment with overall risk appetite, and explicit linkage between DORA register of information and ORSA outsourcing risk assessment.

Coordination point: Most insurers find that the Solvency II risk management function and the DORA ICT risk function need a formalised interaction model. Some insurers merge them under a Chief Risk Officer; others keep them separate with a documented coordination charter. Both work, but supervisors expect the choice to be deliberate and documented.

Critical Insurance Systems Under DORA Scrutiny

The systems supervisors target during DORA inspections at insurers reflect the operational reality of insurance: long policy lifecycles, complex calculation engines, cross-jurisdictional data flows.

Policy Administration Systems

Manage policy lifecycle (new business, renewals, endorsements, cancellations, lapse). Frequently legacy COBOL/PL1 platforms with 30+ year history. Replacement programmes are multi-year — supervisors accept this provided risk controls are robust.

Claims Management Platforms

Submission, triage, assessment, settlement and payment. Customer-facing in case of digital first notice of loss. RTOs typically 4-8 hours; RPOs near-zero for in-flight claims.

Underwriting Engines

Risk scoring, pricing, quote generation. Increasingly ML-driven with cloud workloads. Core target for TLPT for designated insurers.

Actuarial Calculation Systems

Reserving, IFRS 17 calculations, Solvency Capital Requirement model. Often a mix of vendor solutions (Prophet, AXIS, Moses) and bespoke spreadsheet/Python layers. Material data integrity risk if controls are weak.

Customer Portals & Mobile Apps

Digital channels for policy management, claims submission, document upload. High availability requirements; identity and authentication a primary DORA control area.

Reinsurance & Retrocession Platforms

Treaty management, ceded claims tracking, recoveries. Often shared infrastructure with reinsurers — creates joint third-party risk profile.

Telematics & IoT Data Pipelines

Connected-car, smart-home and wearable data feeds for behavioural pricing. Massive volume, real-time, often in cloud — high in concentration risk assessments.

Fraud Detection Systems

Claims fraud screening using rule engines and ML. Failures expose insurer to financial loss; data quality and model robustness in scope of DORA testing.

Article-by-Article Requirements for Insurers

Pillar 1 — ICT Risk Management Art. 5–16

Insurers must maintain a board-approved ICT risk management framework integrated with Solvency II governance. The framework must address all critical insurance systems (above), define risk appetite for ICT risk, and provide independent ICT risk function visibility. The RTS on ICT risk framework (Commission Delegated Regulation 2024/1774) specifies minimum content for security policies, encryption, identity management, network segmentation, change management and ICT business continuity.

Pillar 2 — Incident Management & Reporting Art. 17–23

Standardised classification under the RTS on classification, with insurer-specific application: claims processing impact, policy administration outage, fraud detection failure, actuarial system compromise. Same 4h / 72h / 1-month workflow as banking. Reporting via national supervisor portal — most insurers use the EIOPA-coordinated harmonised template.

Pillar 3 — Resilience Testing Art. 24–27

Annual programme covering critical insurance systems. Mid-size insurers typically run 4-6 deep technical assessments per year (vulnerability, penetration, scenario-based) plus continuous monitoring. Designated insurers also conduct TLPT every 3 years (see below).

Pillar 4 — ICT Third-Party Risk Management Art. 28–44

The Register of Information for insurers must capture not just hyperscaler relationships but also: policy administration vendors (Sapiens, Guidewire, Insurity, Duck Creek), actuarial platforms (FIS Prophet, Milliman AXIS, Moody's AXIS), claims technology (CoreLogic, Mitchell, Solera), reinsurance platforms, fraud detection (Shift Technology, FRISS), and underwriting workbenches.

Pillar 5 — Information Sharing Art. 45

Voluntary participation in cyber threat sharing. The European Insurance and Occupational Pensions community has established sector-specific threat-sharing mechanisms; FS-ISAC also has insurance-specific working groups.

TLPT for Designated Insurers

TLPT under Article 26 reaches the insurance sector, but with materially smaller scope than banking. Risk-based designation typically targets:

Internationally Active Insurance Groups (IAIGs) — about 10 EU-headquartered groups
Large life and non-life insurers above ~€20bn gross written premium
Insurance groups with significant cross-border activity (5+ Member States)
Selected reinsurers above significant retrocession volumes
Industry estimate: 40-60 insurance groups in scope across the EU

Insurance-specific TLPT scoping considerations

Unlike banking where critical functions cluster around payments, trading and core banking, insurance TLPT must address a more dispersed surface. Common in-scope objectives include: simulated unauthorised access to policyholder PII at scale, fraudulent claim approval through workflow manipulation, actuarial data tampering affecting reserves, and ransomware-style impact on policy administration. Scoping conversations with NCAs typically focus on which 3-5 critical functions to test in cycle 1.

Full TLPT methodology guide →

Third-Party ICT Providers in Insurance

Insurance has a particularly long tail of specialised ICT providers, each with sector-specific functionality. The Register of Information often surfaces 200-500 distinct providers per mid-size insurer — significantly more than a comparable bank.

Common third-party categories

Policy administration platforms: Often the single most critical relationship — vendor lock-in is real, exit strategies require 24-36 month horizons.
Actuarial calculation vendors: Material because results feed into Solvency II SCR. Independent validation is a DORA testing requirement.
Claims handling outsourcers (TPAs): Third-Party Administrators handling claims on behalf of insurers — both ICT relationship and operational outsourcing under EIOPA Outsourcing Guidelines.
Cloud hyperscalers: AWS, Azure, GCP — primarily for data lakes, ML workloads, customer-facing apps. Concentration risk increasingly visible.
Distribution platforms: Comparison websites, broker portals, embedded insurance APIs — increasingly material as digital distribution grows.
Fraud detection providers: Increasingly ML-based, often shared between insurers (consortium models) — interesting Article 30 challenge for shared models.
Reinsurance technology: ACORD-aligned platforms, treaty management — joint risk profile with reinsurer.

Sub-outsourcing visibility challenge: A typical insurance vendor stack has 3-5 layers of sub-outsourcing (e.g., policy admin vendor → cloud platform → infra provider → managed services support). The RTS on subcontracting requires visibility down to all material sub-contractors. Most insurers find their first register submission has gaps below Tier 2.

Incident Reporting for Insurers

The classification criteria (RTS on classification) apply identically across financial entities, but the manifestations are sector-specific. Incidents most commonly triggering "major" status at insurers:

Customer portal or mobile app outage longer than 24 hours during a peak renewal period
Claims processing system unavailability affecting more than 10% of in-flight claims
Unauthorised access to actuarial models or pricing engines
Data integrity incident in policy administration affecting policyholder records
Ransomware impact on document management systems holding policy documents
Identity provider compromise affecting agent/broker portals
Reinsurance platform outage during a major claims event (e.g., catastrophe loss reporting)

Reporting workflow

Same harmonised template as banking. Submitted through the national supervisor portal — for most insurers this is the supervisor that authorises them under Solvency II. Cross-border groups submit at solo level to each home authority.

Full incident reporting workflow →

12-Month Insurance Implementation Roadmap

Months 1-2 — Scope & Gap

Map all in-scope entities (carrier, brokerage, IORP), apply proportionality test, run gap analysis against DORA + RTS pack. Output: prioritised remediation backlog.

Months 1-3 — Governance & Solvency II Alignment

Update ICT risk appetite, define DORA function vs Solvency II risk function model, refresh board ICT competence. Update ORSA template to integrate ICT risk.

Months 2-5 — Policy Refresh

ICT risk policy, BCP/DRP, third-party policy, incident management policy, testing policy — all aligned with RTS pack and EIOPA expectations.

Months 3-9 — Register of Information

Inventory all ICT contracts including specialised insurance vendors. Capture sub-outsourcing chains down to Tier 3+. Validate LEIs. Build data quality controls. Target 30 April submission.

Months 4-10 — Contract Renegotiation

Article 30 mandatory clauses. Priority: policy admin vendor, actuarial platform, hyperscaler, claims TPA. Specialised insurance vendors often slower to provide DORA addendums.

Months 6-9 — Incident Drill

Tabletop exercises focused on insurance-specific scenarios: catastrophe-event claims surge with system outage, ransomware on policy admin, identity compromise on agent portals.

Months 9-12 — Testing & ORSA Integration

Annual testing programme launched. ORSA cycle integrates ICT risk under DORA terminology. TLPT procurement initiated for designated insurers.

Month 12+ — Sustain

Continuous register update, quarterly board reporting, integration with annual ORSA cycle, supervisory dialogue with home NCA.

5 Insurance-Specific Implementation Pitfalls

Underestimating the policy administration vendor liftMost insurers run on 1-3 dominant policy administration vendors. Getting Article 30 mandatory clauses into long-standing master agreements is hard, slow, and frequently requires escalation. Plan 9-12 months for top vendors.
Treating ORSA and DORA as separate exercisesEIOPA expects ICT risk to be integrated into ORSA from 2025 onwards. Insurers running parallel DORA and ORSA workstreams without coordination produce duplicative artefacts that supervisors find inconsistent.
Missing the actuarial-system control gapActuarial calculation systems often run in spreadsheet/Python layers outside the formal IT estate. They feed Solvency II SCR — material data integrity risk. Most first-cycle DORA inspections find weak controls here.
Ignoring TPA and broker IT dependenciesThird-Party Administrators and brokers handle insurer data on insurer's behalf. Their ICT failures are insurer's regulatory exposure under DORA. Many insurers have not yet captured TPA technology in their registers.
Cyber underwriting profile vs DORA gapInsurers writing cyber insurance products often find their internal DORA maturity lags their underwriting profile assumptions — a credibility risk if their own incident becomes public.

Need Expert Guidance for Insurance DORA Compliance?

Our specialised team understands insurance operations and helps insurers implement DORA efficiently.

Start Assessment Contact Expert

Insurance FAQ

Which insurance entities are in scope of DORA?

DORA applies to insurance and reinsurance undertakings authorised under Solvency II, insurance intermediaries authorised under the IDD (excluding microenterprises and certain ancillary distributors), institutions for occupational retirement provision (IORPs), and PEPP providers. Captives below thresholds and small mutual insurers may benefit from proportionality but are not exempt.

How does DORA interact with Solvency II for insurers?

DORA is lex specialis for ICT risk and operational resilience, replacing or superseding parts of Solvency II Pillar 2 governance requirements. The Solvency II ORSA must explicitly address ICT risk under DORA terms; the actuarial function and risk management function must coordinate with the ICT risk function defined under DORA Article 6.

Do EIOPA Guidelines on outsourcing to cloud service providers still apply?

EIOPA published a public consultation in 2024 to align or repeal its 2020 Guidelines on outsourcing to cloud service providers. In practice, DORA Articles 28-30 plus the RTS on subcontracting now provide the binding rules.

Which insurers must conduct Threat-Led Penetration Testing (TLPT)?

TLPT designation is risk-based per Article 26(8). For insurance, this typically covers IAIGs, large life/non-life insurers above ~€20bn gross written premium, and pan-EU groups with significant cross-border activity. Industry estimate: 40-60 insurance groups in scope, designated by EIOPA in coordination with NCAs.

How are incidents classified for insurers under DORA?

The same RTS classification criteria apply across financial entities, with insurer-specific thresholds. Major incidents typically include: claims processing disruption affecting more than 10% of pending claims, policy administration outage longer than 24 hours, unauthorised access to actuarial models, customer-portal failures during a renewal peak.

Are insurance brokers and intermediaries in scope of DORA?

Yes — insurance intermediaries authorised under the IDD are in scope, with two exclusions: microenterprises and small enterprises that are also natural persons offering distribution as ancillary activity. Most professional brokerage firms above small-enterprise thresholds must comply.

How should the Register of Information capture reinsurance technology providers?

Reinsurance platforms qualify as ICT third-party services under DORA Article 28. They must be in the register at the legal entity level, classified by criticality, with full Article 30 contract clauses. Group reinsurance treaties using shared technology platforms create complex sub-outsourcing chains.

Does DORA require encryption of all policyholder data?

Article 9 plus the RTS on ICT risk framework require strong cryptographic controls calibrated to information criticality. Policyholder data — including health data — typically falls in the highest criticality tier, requiring AES-256 (or equivalent) encryption with validated cryptographic agility.

How does DORA affect cyber insurance products that insurers themselves offer?

DORA does not regulate cyber insurance products as such, but insurers writing cyber policies will see DORA-compliant insureds present better risk profiles, enabling differential pricing. Insurers writing cyber policies are themselves subject to DORA — their claims processing, fraud detection and policy administration must meet DORA standards.

What are the most common DORA findings for insurers in 2025?

Top findings: (1) ORSA does not yet integrate ICT risk under DORA terminology, (2) actuarial systems supporting SCR have insufficient resilience controls, (3) reinsurance technology providers missing from Register of Information, (4) claims processing RTOs/RPOs not validated end-to-end, (5) board-level reporting still framed in Solvency II language without DORA-specific KRIs.