Dowiedz się więcej na temat naszych produktów. Zobacz nasz blog
  • EN
  • PL
    • Wizards
    Umów się na rozmowę
    Umów się na rozmowę

    How to Implement DORA in an Insurance Company?

    Wizards

    Digital Operational Resilience Act (DORA) is a new EU regulation focused on strengthening the digital operational resilience of financial institutions. It aims to ensure operational stability against cyber threats through effective ICT risk management, mandatory incident reporting, and regular system testing. So how to implement DORA in an insurance company?

    DORA will apply from January 17, 2025, following a two-year transition period that began in January 2023. Insurance companies – like banks, investment firms, and other financial institutions – must adapt quickly. Only then can they remain compliant and ensure business continuity.

    What is DORA and who is affected?

    The Digital Operational Resilience Act (DORA) is an initiative of the European Union to improve cybersecurity and digital resilience in the financial sector.

    It introduces common rules requiring institutions to manage ICT incidents. They should be able to prevent, respond to, and quickly recover from disruptions.

    DORA applies to 20 categories of entities, including insurance companies, insurance brokers, banks, fintechs, VC funds, and payment service providers. Importantly, it also covers ICT service providers, such as cloud or IT outsourcing companies. If classified as critical providers, they may be subject to direct supervision.

    Why was DORA introduced?

    DORA addresses the rising number of cyberattacks and the increasing dependency of financial services – especially insurance – on technology.

    A cyberattack happens every 39 seconds globally. The financial damage caused by cybercrime reaches €5 trillion annually. Disruptions like ransomware, data center outages, or human error can paralyze core services and affect entire markets.

    DORA aims to prevent this. Insurance companies must have contingency plans, strong safeguards, and incident response procedures. As a result, both financial stability and customer trust are strengthened.

    Key DORA requirements for insurance companies

    DORA imposes a set of obligations aimed at improving digital resilience. Here are the most important areas:

    Insurance companies must implement a comprehensive ICT risk management system, integrated into the overall enterprise risk framework. This includes security policies and procedures, clearly defined roles and responsibilities (involving top management), regular risk assessments, and mitigation plans. Senior executives must be directly engaged and regularly approve the strategy, allocate resources, and build a culture of cybersecurity awareness.

    Insurance companies are required to classify, manage, and report ICT incidents. Major events – such as data breaches, ransomware attacks, or system failures – must be reported to the national authority (in Poland, this is the KNF). A preliminary report is due within 24 hours, followed by updates and a final report. Internal tools must ensure rapid alerts to both leadership and the regulator. For example: if ransomware encrypts data and disrupts services, the company must notify the KNF within one day and take corrective actions.

    And..

    DORA requires cyclical security and resilience testing. Insurers must conduct penetration tests, vulnerability scans, simulation exercises, and business continuity tests. Larger organizations must also undergo TLPT (Threat-Led Penetration Testing) by independent experts every three years. Test results should be documented and used to improve security procedures.

    If an insurer uses external ICT providers (e.g. cloud services, data center outsourcing), it must manage these risks proactively. DORA requires contract registers, due diligence, and regular risk assessments of each critical provider. Contracts must include clauses on security, incident reporting, continuity, testing, and audit rights. Companies must also have exit strategies in place for critical services. Large providers may be classified as Critical Third-Party Providers (CTPP) and subject to EU-level supervision – in such cases, insurers must provide additional documentation to regulators.

    DORA mandates Business Continuity Plans (BCP) and Disaster Recovery (DR) plans. These plans should address possible scenarios such as long-term system failures or large-scale data breaches. Companies must test and update these plans regularly to ensure fast service recovery.

    While not mandatory, DORA encourages institutions to share information on cyber threats. Participating in networks like ISACs can help insurers react faster and learn from others. If they do, they must inform regulators and ensure confidentiality in data exchange.

    how to implement DORA in an insurance company

    Non-compliance with DORA: what are the risks?

    Failing to comply with DORA can lead to serious legal and financial consequences. Regulators have strong tools to enforce compliance:

    • Fines: Up to €10 million or 2% of global turnover for standard violations. For the most severe breaches: up to €20 million or 4% of turnover.
    • Executive liability: Fines up to €1 million can be imposed on board members or senior managers. In extreme cases, they can be banned from holding leadership roles in the sector.
    • Supervisory actions: Authorities may issue binding orders or suspend operations until compliance is restored. They can also block cooperation with high-risk ICT providers.
    • Public disclosure: Names of non-compliant companies are made public, leading to reputational damage, customer loss, and media scrutiny.

    Strengthen your digital resilience today

    For insurers, DORA is both a challenge and an opportunity. Yes, it requires investment in security, policies, and training. But it also delivers stronger operational resilience – an invaluable asset in a world of growing cyber threats.

    Management should see DORA not just as a legal obligation, but as a chance to modernize IT governance and improve risk oversight. Proactive insurers will gain a competitive edge.

    how to implement DORA in an insurance company? If you need guidance on how to implement DORA in your insurance companycontact the Wizards team. Our experts will support you in gap analysis, action planning, and implementation. With Wizards, you’ll meet regulatory requirements faster and gain measurable security benefits.

    Let’s work together to build your digital resilience.