DORA for Insurance Firms: ICT Risk Management Obligations and 2025 Readiness Checklist

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) became directly applicable across all EU member states on 17 January 2025. For insurance undertakings and intermediaries, DORA represents the most significant ICT regulatory obligation since GDPR — and unlike GDPR, it comes with mandatory penetration testing, incident timelines measured in hours, and direct supervisory oversight of your critical third-party ICT providers.

This guide explains what DORA requires of insurance firms, which firms are in scope, and what you should have completed — or be completing now — to demonstrate compliance.

Scope: Which Insurance Firms Does DORA Cover?

Article 2 DORA lists the financial entities in scope. For the insurance sector, this includes:

• Insurance and reinsurance undertakings covered by Solvency II (Directive 2009/138/EC, Article 4).
• Insurance intermediaries (brokers and agents) registered under Article 3 IDD — with a significant carve-out: intermediaries that are microenterprises (fewer than 10 employees AND annual turnover below €2 million) are excluded under Article 2(5)(f) DORA.

The commonly cited threshold for intermediaries is the standard SME definition, but DORA's own micro-enterprise exclusion is more precise: you are excluded only if you meet both criteria simultaneously. A broker with 8 employees and €3 million turnover is in scope.

Importantly, the proportionality principle in Article 4 DORA allows competent authorities to apply requirements proportionately to smaller in-scope firms — but this does not mean smaller firms are exempt; it means enforcement may be calibrated. You must still document your ICT risk framework.

The Five-Pillar DORA Framework

Pillar 1: ICT Risk Management (Articles 5–16)

You must maintain a comprehensive ICT risk management framework, approved and overseen by your management body. This includes:

• An ICT risk appetite statement aligned with your business strategy.
• A mapping of all ICT assets (hardware, software, data, network components) and their interdependencies.
• Identification and classification of all ICT risks, including those introduced by third parties.
• Protective controls (access management, encryption, patch management, endpoint protection).
• Detection capabilities (security monitoring, log management, anomaly detection).
• Recovery plans with documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system.

The ICT risk management framework must be reviewed at least annually and after any major incident or significant change to ICT infrastructure.

Pillar 2: ICT-Related Incident Management (Articles 17–23)

You must establish a process to detect, classify, manage, and report ICT-related incidents. DORA introduces a mandatory classification system:

• Major incidents trigger regulatory reporting obligations.
• Classification criteria (specified in Commission Delegated Regulation supplementing DORA) include: number of clients affected, geographic spread, duration, data loss, financial impact, and criticality of affected services.

Reporting timelines for major incidents are three-stage:

1. Initial notification: Within 4 hours of classification as a major incident, or within 24 hours of the incident becoming known (whichever is earlier for the first awareness trigger).
2. Intermediate report: Within 72 hours of the initial notification — status update and updated impact assessment.
3. Final report: Within 1 month of submitting the intermediate report — root cause analysis, lessons learned, and remediation measures.

Notifications are made to your national competent authority. Insurance supervisors (e.g., BaFin in Germany, DNB in the Netherlands, ACPR in France) have each established DORA reporting portals. Keep your portal registration current — the 4-hour clock does not pause while you find the submission URL.

Pillar 3: Digital Operational Resilience Testing (Articles 24–27)

All in-scope firms must conduct basic resilience testing (vulnerability assessments, penetration tests) at least annually. Firms identified as significant by competent authorities must conduct Threat-Led Penetration Testing (TLPT) — also known as TIBER-EU — at least every three years.

TLPT is not a standard penetration test. It is a full-scope, adversarial simulation conducted by qualified external testers using real threat intelligence specific to your firm. The process involves a formal scoping phase with your competent authority, a red team exercise, and a structured remediation and attestation phase. Lead times for qualified TLPT providers are currently 6–12 months across most EU markets.

Pillar 4: Third-Party ICT Risk Management (Articles 28–44)

This pillar is where many insurance firms face their greatest compliance gap. You must:

• Maintain a register of all ICT third-party service providers, classified by criticality.
• Ensure contracts with critical providers include mandatory clauses: audit rights, service level agreements, sub-contracting controls, business continuity provisions, and data portability on termination.
• Conduct pre-contractual due diligence on all new ICT third parties and periodic review of existing providers.
• Monitor concentration risk — where multiple critical functions depend on a single provider or a small number of providers.

Cloud providers designated as Critical ICT Third-Party Service Providers (CTPPs) under Article 31 DORA are subject to direct EU-level supervision by the Joint Oversight Committee (ESAs). This designation has regulatory implications for your contracts — ensure your cloud agreements include the DORA-required contractual provisions.

Pillar 5: Information Sharing (Article 45)

DORA establishes a voluntary framework for financial entities to share cyber threat intelligence among themselves. While currently voluntary, participation is encouraged by EIOPA and national competent authorities. Information sharing arrangements must have governance structures and data protection safeguards — sharing incident information inevitably involves personal data, engaging GDPR obligations as described in our GDPR compliance guide.

RTO and RPO Requirements

Article 12 DORA requires that your ICT business continuity policy include Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical function. DORA does not prescribe specific RTO/RPO values — your management body must set them based on the criticality of the function and the impact of disruption on clients and financial stability.

Typical benchmarks adopted by insurance firms in 2025 compliance reviews:

• Policy administration systems: RTO 4 hours, RPO 1 hour.
• Claims management systems: RTO 8 hours, RPO 2 hours.
• Client-facing portals: RTO 2 hours, RPO 15 minutes.
• Regulatory reporting systems: RTO 24 hours, RPO 4 hours.

These RTOs and RPOs must be tested — not just documented. Annual disaster recovery exercises with documented results are required.

Intersection with AI and Cloud Strategy

DORA's third-party risk requirements interact closely with your cloud and AI strategy. If you are using AI tools for underwriting, claims triage, or client communication, the AI vendor is an ICT third-party subject to DORA's contractual requirements. For insurance firms using AI systems classified as high-risk under the EU AI Act, additional governance requirements apply — see our guide to the EU AI Act for insurance firms. For data residency and cloud provider selection considerations, see our analysis of GDPR data residency for EU insurance firms.

DORA Readiness Checklist for Insurance Firms (2025)

1. Confirm whether your firm meets the micro-enterprise exclusion threshold — if uncertain, seek legal advice and document your reasoning.
2. Adopt a formal ICT risk management framework document, approved by your management body or board.
3. Complete an ICT asset inventory covering all hardware, software, data repositories, and network components.
4. Classify all ICT third-party providers by criticality and complete a gap analysis of existing contracts against DORA's mandatory contractual requirements.
5. Establish an ICT incident classification matrix and test it against realistic incident scenarios.
6. Register with your national competent authority's DORA reporting portal and conduct a dry run of the 4-hour initial notification process.
7. Set documented RTO and RPO values for all critical ICT functions, approved by management.
8. Conduct a vulnerability assessment and basic penetration test if not done within the last 12 months.
9. Determine whether your firm is likely to be designated for TLPT — if so, begin procurement for a qualified TLPT provider.
10. Review concentration risk in your ICT provider portfolio — document any single-provider dependencies and your contingency plans.

PrizMova Europa is built on EU-resident infrastructure (Hetzner Nuremberg data centres), with DORA-aligned incident management workflows, ICT third-party register templates, and RTO/RPO tracking built into the platform. For firms combining DORA readiness with Solvency II QRT reporting obligations, our integrated compliance dashboard reduces duplicate effort across both frameworks — see our Solvency II QRT reporting guide for details.