DORA in Action: Insurance and Finance Enhancing Digital Resilience
DORA in Action: Insurance and Finance Enhancing Digital Resilience
November 2025
Konstantinos Issaias, Partner, Zaphirenia Theodoraki, Senior Associate, Vasilianna Karakatsani, Associate
Kyriakides Georgopoulos Law Firm
Introduction
With the increasing dominance of digitalization in the operation of Insurance and other financial institutions, Information and Communication Technology (ICT) risk has become integral to their risk profile. It is not strange therefore that it has drawn the attention of international, European and national regulatory authorities with a view to strengthening operational resilience. Nonetheless, divergent legislative frameworks as well as inconsistent supervisory practices across EU member states present obstacles to the effective functioning of the EU internal financial market.
To reduce regulatory complexity, the EU adopted the Digital Operational Resilience Act (DORA) [Regulation (EU) 2022/2554], harmonizing regulatory requirements to enhance digital operation resilience in the financial sector. DORA aims to ensure that, while dependency on technology is increasing, financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats and achieve a higher level of protection for both investors and consumers across the Union.
DORA comes to complement other regulatory initiatives addressing cybersecurity and digital resilience, this time exclusively concerning the sector of Finance.
NIS2 [Directive (EU) 2022/2555] in particular, applies to 18 critical sectors, essential to the functioning of society and the economy (including energy, transport, healthcare, water supply, digital infrastructures and finance (for more details on NIS2 please see here).
DORA constitutes lex specialis for the financial sector in comparison with the NIS2, which has a broader scope. In the event of a conflict between regulatory frameworks therefore, DORA’s requirements should prevail. On the other hand, financial entities should not ignore the more general requirements of NIS2.
Compliance with the provisions and requirements of DORA is to be achieved by January 17, 2025.
The Regulation
Scope
DORA applies to a wide range of regulated institutions and entities across the EU financial sector (“financial entities”). Among them, insurance and reinsurance companies and insurance intermediaries, credit institutions, investment firms, payment and e-money institutions, capital management companies, rating agencies, as well as providers of crypto-asset services and crowdfunding service providers.
In addition, DORA applies to entities providing ICT services throughout the EU financial sector (“ICT third-party service providers”) including providers of cloud services, software and data centres, even if they are situated outside the EU.
Exclusions
The applicability of DORA is subject to the principle of proportionality, considering the size, activity and the overall risk profile of each financial entity. Microenterprises, in particular, will benefit from a proportionate application of DORA’s requirements, reflecting their reduced scale and risk. For the purposes of DORA, “microenterprises” are financial entities, excluding trading venues, central counterparties, trade repositories or central securities depositories, that employ fewer than 10 persons with an annual turnover and/or annual balance sheet total not exceeding EUR 2 million.
For the implementation of DORA, a number of secondary delegated regulations and technical standards have already been issued by the Commission and the European Supervisory Authorities (ESAs), namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), while others are in the process of being released.
Pillars
In order to achieve a high common level of digital operational resilience, the Regulation lays down uniform requirements concerning the security of network and information systems used by financial entities.
The Regulation is structured around five (5) pillars. These are the following:
1. ICT risk management
Financial entities are required to establish, under the responsibility of their management bodies, a comprehensive and well documented ICT risk management framework, including a digital operational resilience strategy, detailing the implementation approach.
In this context, the financial entities shall:
- use and maintain updated ICT systems, protocols and tools;
- identify, classify and adequately document all ICT-supported functions and assets;
- continuously monitor and control the security and operation of ICT systems and tools to establish protection and prevention measures;
- establish mechanisms to promptly detect anomalous activities;
- implement a comprehensive ICT business continuity policy and associated ICT recovery plans;
- develop backup policies and procedures, as well as restoration and recovery procedures and methods;
- establish mechanisms to learn and evolve from ICT- related incidents; and
- develop crisis communication plans to disclose major ICT-related incidents or vulnerabilities to clients, counterparts and the public.
2. ICT-related management, classification & reporting
Financial entities are required to adopt processes in order to:
- record all ICT-related incidents and significant cyber threats;
- classify ICT-related incidents and cyber threats, assessing their impact based on specific criteria established in DORA; and
- report ICT-related incidents classified as major to the relevant competent authority.
Three different types of report shall be submitted to the competent authority and more specifically:
- an initial notification;
- an intermediate report once significant updates are available or upon specific request of the competent authority; and
- a final report upon completion of the root cause analysis.
3. Digital operational resilience testing
Financial entities are required to establish a comprehensive digital operational resilience testing programme to properly monitor the effectiveness of the resilience strategy. In this context, a set of appropriate tests, including a range of assessments, analyses, tests and examinations shall be undertaken by an independent party, whether internal or external. In addition, significant financial entities will be required to carry out an advanced testing in the form of threat-led penetration testing (TLPT).
4. Management of ICT third-party risk
As a fundamental aspect of their ICT risk management framework, financial entities are required to establish a strategy on ICT third-party risk. In this regard, financial entities will only be permitted to enter into contractual arrangements with ICT third-party service providers who comply with the relevant information security standards outlined in DORA whilst keeping a register of data pertaining to all associated contractual arrangements. Additionally, DORA defines specific components that shall be included in a contractual arrangement between a financial entity and an ICT third – party service provider.
5. Information-sharing arrangements
On a voluntary basis, DORA encourages financial entities to exchange cyber threat information and intelligence among themselves, provided that the sensitivity of shared information is respected in accordance with applicable confidentiality rules and personal data protection principles.
Assessment – final remarks
DORA marks a significant step forward in enhancing digital resilience within the financial sector. As the compliance deadline approaches, financial entities need to make strengthening their IT security a top priority. Its application has also been assigned by the Regulation at the top level (senior management and boards of directors are made directly responsible for digital resilience strategies). Financial entities have undertaken due diligence and gap analyses to thoroughly gauge their digital structures.
Impact on the Insurance sector, in particular
Traditional financial entities, such as banks, investment firms, and asset managers, are already subject to rigorous regulatory standards and the application of DORA may be considered as only raising the bar further for them by requiring an integrated approach to digital resilience.
The Insurance industry (including insurers, re-insurers, and intermediaries), on the other hand, has not been dependent on digital technology at the same pace as banking, while it faces unique challenges due to its reliance on sensitive customer data and long-term policy commitments. It is expected that, as the requirements of the Regulation are specific and demanding, it will force the insurance industry to streamline its relevant functions, thus bringing them to a level analogous to that of banking, which has traditionally been more mature in this area.
Discussion
As with every legislative effort, discussions have started in respect with the proper application of DORA. These include the actual purview of the Regulation based on the principle of proportionality (see above).
EIOPA Opinion – smaller insurance companies
EIOPA has published on 15 November 2024 its Opinion on the scope of DORA in light of the review of the Solvency II Directive. The amended Solvency II Directive is expected to increase the size thresholds for insurance and reinsurance undertakings, potentially leading, subject to national transpositions, to a greater number of companies being excluded from the Solvency II framework or subjected to a different level of requirements. In this regard, EIOPA is calling on the European Commission to take the necessary actions to avoid requiring disproportionate compliance efforts from smaller and non-complicated insurance undertakings in the transition period prior to the application of the revised Solvency II Directive (implementation expected in 2026).
Insurance intermediaries
Similarly, national initiatives have taken place in certain EU member states for the exclusion of smaller insurance intermediaries (e.g. occupying below a certain number of employees) to reduce the administrative burdens.
Third-party service providers
The exact ambit of third-party service providers has also generated discussions (in particular the necessity for a clear distinction of ICT services from regulated financial services. Technical acts of the ESAs have been issued concerning the designation of critical ICT third-party service providers by the financial entities).
While it remains to be seen how the requirements will be implemented, compliance with DORA will unquestionably enable the financial entities to improve their standing in a constantly augmenting digital environment, thereby enhancing confidence in the financial system.
November 2025
Konstantinos Issaias, Partner, Zaphirenia Theodoraki, Senior Associate, Vasilianna Karakatsani, Associate
Kyriakides Georgopoulos Law Firm
Introduction
With the increasing dominance of digitalization in the operation of Insurance and other financial institutions, Information and Communication Technology (ICT) risk has become integral to their risk profile. It is not strange therefore that it has drawn the attention of international, European and national regulatory authorities with a view to strengthening operational resilience. Nonetheless, divergent legislative frameworks as well as inconsistent supervisory practices across EU member states present obstacles to the effective functioning of the EU internal financial market.
To reduce regulatory complexity, the EU adopted the Digital Operational Resilience Act (DORA) [Regulation (EU) 2022/2554], harmonizing regulatory requirements to enhance digital operation resilience in the financial sector. DORA aims to ensure that, while dependency on technology is increasing, financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats and achieve a higher level of protection for both investors and consumers across the Union.
DORA comes to complement other regulatory initiatives addressing cybersecurity and digital resilience, this time exclusively concerning the sector of Finance.
NIS2 [Directive (EU) 2022/2555] in particular, applies to 18 critical sectors, essential to the functioning of society and the economy (including energy, transport, healthcare, water supply, digital infrastructures and finance (for more details on NIS2 please see here).
DORA constitutes lex specialis for the financial sector in comparison with the NIS2, which has a broader scope. In the event of a conflict between regulatory frameworks therefore, DORA’s requirements should prevail. On the other hand, financial entities should not ignore the more general requirements of NIS2.
Compliance with the provisions and requirements of DORA is to be achieved by January 17, 2025.
The Regulation
Scope
DORA applies to a wide range of regulated institutions and entities across the EU financial sector (“financial entities”). Among them, insurance and reinsurance companies and insurance intermediaries, credit institutions, investment firms, payment and e-money institutions, capital management companies, rating agencies, as well as providers of crypto-asset services and crowdfunding service providers.
In addition, DORA applies to entities providing ICT services throughout the EU financial sector (“ICT third-party service providers”) including providers of cloud services, software and data centres, even if they are situated outside the EU.
Exclusions
The applicability of DORA is subject to the principle of proportionality, considering the size, activity and the overall risk profile of each financial entity. Microenterprises, in particular, will benefit from a proportionate application of DORA’s requirements, reflecting their reduced scale and risk. For the purposes of DORA, “microenterprises” are financial entities, excluding trading venues, central counterparties, trade repositories or central securities depositories, that employ fewer than 10 persons with an annual turnover and/or annual balance sheet total not exceeding EUR 2 million.
For the implementation of DORA, a number of secondary delegated regulations and technical standards have already been issued by the Commission and the European Supervisory Authorities (ESAs), namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), while others are in the process of being released.
Pillars
In order to achieve a high common level of digital operational resilience, the Regulation lays down uniform requirements concerning the security of network and information systems used by financial entities.
The Regulation is structured around five (5) pillars. These are the following:
1. ICT risk management
Financial entities are required to establish, under the responsibility of their management bodies, a comprehensive and well documented ICT risk management framework, including a digital operational resilience strategy, detailing the implementation approach.
In this context, the financial entities shall:
- use and maintain updated ICT systems, protocols and tools;
- identify, classify and adequately document all ICT-supported functions and assets;
- continuously monitor and control the security and operation of ICT systems and tools to establish protection and prevention measures;
- establish mechanisms to promptly detect anomalous activities;
- implement a comprehensive ICT business continuity policy and associated ICT recovery plans;
- develop backup policies and procedures, as well as restoration and recovery procedures and methods;
- establish mechanisms to learn and evolve from ICT- related incidents; and
- develop crisis communication plans to disclose major ICT-related incidents or vulnerabilities to clients, counterparts and the public.
2. ICT-related management, classification & reporting
Financial entities are required to adopt processes in order to:
- record all ICT-related incidents and significant cyber threats;
- classify ICT-related incidents and cyber threats, assessing their impact based on specific criteria established in DORA; and
- report ICT-related incidents classified as major to the relevant competent authority.
Three different types of report shall be submitted to the competent authority and more specifically:
- an initial notification;
- an intermediate report once significant updates are available or upon specific request of the competent authority; and
- a final report upon completion of the root cause analysis.
3. Digital operational resilience testing
Financial entities are required to establish a comprehensive digital operational resilience testing programme to properly monitor the effectiveness of the resilience strategy. In this context, a set of appropriate tests, including a range of assessments, analyses, tests and examinations shall be undertaken by an independent party, whether internal or external. In addition, significant financial entities will be required to carry out an advanced testing in the form of threat-led penetration testing (TLPT).
4. Management of ICT third-party risk
As a fundamental aspect of their ICT risk management framework, financial entities are required to establish a strategy on ICT third-party risk. In this regard, financial entities will only be permitted to enter into contractual arrangements with ICT third-party service providers who comply with the relevant information security standards outlined in DORA whilst keeping a register of data pertaining to all associated contractual arrangements. Additionally, DORA defines specific components that shall be included in a contractual arrangement between a financial entity and an ICT third – party service provider.
5. Information-sharing arrangements
On a voluntary basis, DORA encourages financial entities to exchange cyber threat information and intelligence among themselves, provided that the sensitivity of shared information is respected in accordance with applicable confidentiality rules and personal data protection principles.
Assessment – final remarks
DORA marks a significant step forward in enhancing digital resilience within the financial sector. As the compliance deadline approaches, financial entities need to make strengthening their IT security a top priority. Its application has also been assigned by the Regulation at the top level (senior management and boards of directors are made directly responsible for digital resilience strategies). Financial entities have undertaken due diligence and gap analyses to thoroughly gauge their digital structures.
Impact on the Insurance sector, in particular
Traditional financial entities, such as banks, investment firms, and asset managers, are already subject to rigorous regulatory standards and the application of DORA may be considered as only raising the bar further for them by requiring an integrated approach to digital resilience.
The Insurance industry (including insurers, re-insurers, and intermediaries), on the other hand, has not been dependent on digital technology at the same pace as banking, while it faces unique challenges due to its reliance on sensitive customer data and long-term policy commitments. It is expected that, as the requirements of the Regulation are specific and demanding, it will force the insurance industry to streamline its relevant functions, thus bringing them to a level analogous to that of banking, which has traditionally been more mature in this area.
Discussion
As with every legislative effort, discussions have started in respect with the proper application of DORA. These include the actual purview of the Regulation based on the principle of proportionality (see above).
EIOPA Opinion – smaller insurance companies
EIOPA has published on 15 November 2024 its Opinion on the scope of DORA in light of the review of the Solvency II Directive. The amended Solvency II Directive is expected to increase the size thresholds for insurance and reinsurance undertakings, potentially leading, subject to national transpositions, to a greater number of companies being excluded from the Solvency II framework or subjected to a different level of requirements. In this regard, EIOPA is calling on the European Commission to take the necessary actions to avoid requiring disproportionate compliance efforts from smaller and non-complicated insurance undertakings in the transition period prior to the application of the revised Solvency II Directive (implementation expected in 2026).
Insurance intermediaries
Similarly, national initiatives have taken place in certain EU member states for the exclusion of smaller insurance intermediaries (e.g. occupying below a certain number of employees) to reduce the administrative burdens.
Third-party service providers
The exact ambit of third-party service providers has also generated discussions (in particular the necessity for a clear distinction of ICT services from regulated financial services. Technical acts of the ESAs have been issued concerning the designation of critical ICT third-party service providers by the financial entities).
While it remains to be seen how the requirements will be implemented, compliance with DORA will unquestionably enable the financial entities to improve their standing in a constantly augmenting digital environment, thereby enhancing confidence in the financial system.