Does DORA apply to insurance companies?

Yes. DORA Article 2 brings insurance and reinsurance undertakings within its scope, as well as insurance intermediaries that meet specified size thresholds. Institutions for Occupational Retirement Provision (IORPs) above defined thresholds are also in scope. Smaller intermediaries and micro-enterprise IORPs may be exempt or subject to a lighter regime under the proportionality principle.

How does DORA interact with Solvency II?

DORA and Solvency II address adjacent but distinct areas. Solvency II governs prudential supervision, governance (Pillar 2), and reporting for insurers, including broad governance and risk management expectations. DORA addresses ICT risk specifically and in detail — risk management, incident reporting, testing, third-party oversight. Where the two overlap (for example, outsourcing and operational risk), DORA sets more specific requirements. Insurers will need to integrate DORA into their Solvency II governance structures rather than running them in parallel.

What DORA documentation must insurers maintain?

Insurers must maintain an ICT risk management framework approved by the administrative, management, or supervisory body; business continuity and incident response documentation; operational resilience testing plans and results; a register of information covering all ICT third-party service arrangements; contracts with DORA-mandated provisions; and board-level governance records. Documentation must integrate with existing Solvency II ORSA (Own Risk and Solvency Assessment) and governance documentation.

Are insurance intermediaries in scope for DORA?

Insurance intermediaries are in scope if they meet the size thresholds defined in DORA. Small and micro-enterprise intermediaries may be exempt. Where DORA does apply, intermediaries face the full framework but with proportionality applied to the depth of obligations. Reinsurance intermediaries are generally in scope regardless of size. The classification should be assessed against DORA's specific criteria and national competent authority guidance.

What are the DORA compliance deadlines for insurers?

DORA applied from 17 January 2025 for all entities in scope, including insurance undertakings. The register of information first submission deadline was 30 April 2025. National competent authorities — including EIOPA and local insurance regulators — now actively supervise compliance. Insurers that have not yet integrated DORA into their governance frameworks are operating with material regulatory risk.

DORA Compliance for Insurance

How DORA Applies to Insurance

DORA Article 2 brings several categories of insurance-sector entities into scope:

•Insurance undertakings authorised under Solvency II — life, non-life, and composite insurers
•Reinsurance undertakings — including pure reinsurance operations
•Insurance and reinsurance intermediaries meeting specified size thresholds — larger brokers fall in scope, the smallest may be exempt
•IORPs — Institutions for Occupational Retirement Provision above defined thresholds

Proportionality applies throughout. Large life insurers with complex ICT estates face the full framework; smaller intermediaries operate under a lighter regime. The regulatory assessment of scope and depth is made by reference to size, complexity, and risk profile against criteria in DORA itself.

Insurance-Specific DORA Requirements

The DORA framework applies to insurers with specific emphasis on the ICT systems and third-party arrangements that support core insurance operations:

ICT Risk Management for Insurance Operations

Policy administration systems, claims processing platforms, and actuarial modelling environments are typically designated as supporting critical or important functions. ICT risk management must cover governance, protection, detection, and recovery for these systems — integrated with existing Solvency II Pillar 2 governance.

Incident Reporting for Insurance-Specific Systems

Major ICT-related incidents must be reported to national competent authorities within DORA's defined timeframes. For insurers, this includes incidents affecting policyholder services, claims processing, and core administration platforms. EIOPA coordinates supervisory consistency across member states.

Resilience Testing for Insurance Platforms

All insurers must conduct basic resilience testing. Significant insurers must additionally undertake threat-led penetration testing (TLPT) every three years for systems supporting critical or important functions. Testing must cover scenarios specific to insurance operations, not just generic cyber scenarios.

Third-Party Risk for Outsourced Functions

Insurance is heavily outsourced: actuarial modelling, claims administration, policy administration platforms, cloud infrastructure. DORA requires comprehensive due diligence, specific contractual provisions, and ongoing monitoring. Insurers must maintain the register of information covering all ICT third-party arrangements.

DORA and Solvency II

The most significant integration challenge for insurers is mapping DORA into Solvency II's existing governance framework. Solvency II Pillar 2 already covers governance, risk management, internal control, and the Own Risk and Solvency Assessment (ORSA). DORA adds more specific ICT requirements on top.

Rather than running DORA as a separate compliance track, insurers should integrate it into the Solvency II governance structures that already exist:

•Governance— DORA's ICT risk framework should feed into the overall Solvency II governance system approved by the administrative, management, or supervisory body
•ORSA— ICT risk should be addressed in the Own Risk and Solvency Assessment; DORA's incident data and testing results become inputs to ORSA analysis
•Operational risk — DORA incident data feeds into operational risk calculations under Solvency II Pillar 1, where applicable to the standard formula or internal model
•Outsourcing — DORA's ICT third-party framework aligns with and extends Solvency II outsourcing requirements; the register of information complements existing outsourcing registers
•Supervisory reporting — DORA major incident reports integrate with existing Solvency II reporting and EIOPA supervisory engagement

EIOPA's role in coordinating DORA supervision across member states reinforces this integrated view. Insurers that build a separate DORA compliance programme end up duplicating work already done under Solvency II. The better approach is to extend existing governance and documentation to cover DORA's specific ICT requirements.

DORA Document Requirements for Insurers

Insurers must maintain a documentation set that satisfies both DORA and the integration points with Solvency II:

•ICT governance policies integrated with the Solvency II system of governance
•Operational resilience plans and business continuity documentation
•Outsourcing register extended to become the DORA register of information covering all ICT third-party arrangements
•Incident response documentation including classification thresholds and notification procedures
•Testing programme documentation including TLPT results for significant insurers
•Contract templates with DORA-mandated provisions for all ICT service arrangements

How ComplyLoft Auditor Helps Insurers

The ComplyLoft Auditor can be configured with DORA requirements and run across an insurer's existing ICT governance and Solvency II documentation. It cross-references the two frameworks to identify genuine gaps rather than forcing parallel compliance streams.

•Automated document auditing against DORA requirements with Solvency II cross-referencing
•Gap analysis highlighting where existing Solvency II documentation needs DORA-specific extensions
•ICT third-party contract review against DORA-mandated provisions
•Register of information completeness checks across insurance ICT arrangements
•Ongoing monitoring support for evolving DORA and Solvency II requirements

ComplyLoft Auditor identifies potential compliance gaps and provides a structured starting point for review. All outputs require human review and sign-off. ComplyLoft does not guarantee compliance.

Explore the Auditor Tool Request a Demo

DORA Compliance for Insurance: Operational Resilience Requirements for Insurers