DORA and insurance: what the regulation actually changes

What is the DORA regulation?

DORA stands for the Digital Operational Resilience Act. It refers to European Regulation (EU) 2022/2554, published in December 2022 and entering into force on 17 January 2025. In broad terms, DORA aims to ensure that financial sector participants, including insurers and insurance intermediaries, are able to withstand, respond to and recover from any type of ICT-related incident.

Prior to DORA, digital operational resilience was governed by a patchwork of sector-specific rules that were often vague on concrete obligations. Across areas such as cybersecurity, incident management and continuity oversight, each national regulator applied its own interpretation. DORA puts an end to this fragmentation by establishing a single, unified framework of rules, directly applicable across all EU Member States.

DORA does not replace Solvency II, the IDD or GDPR. It sits alongside them, adding a new layer of specific requirements covering ICT risk, cybersecurity, reliance on technology service providers, and incident reporting. It is a complementary regulation, not a replacement.

The regulation uses the term ICT (Information and Communication Technology) to refer to all systems, tools and digital infrastructure that an organisation uses to process, store and transmit information. In practice, this covers core business software, cloud infrastructure, networks, databases, APIs and interconnections with external partners. The scope is deliberately broad: any digital tool that plays a role in the operational functioning of an insurer or broker falls within DORA's ICT perimeter.

Who does it apply to in the insurance market?

DORA has a wide scope. Within the insurance and financial services sector, the following are in scope:

• Insurers and reinsurers subject to Solvency II
• Insurance intermediaries whose size or premium volumes place them within the regulation's scope
• MGAs and delegated underwriters that rely on information systems for policy administration, claims handling or client data management
• Any management company whose operations depend on ICT systems critical to its day-to-day activities

Microenterprises, fewer than 10 employees and annual turnover below €2m, benefit from a simplified regime, but are not fully exempt. For mid-sized players, such as most MGAs and delegated underwriters, the regulation applies in its standard form. It is these firms that face the greatest operational pressure: they do not always have the resources of a major insurer, yet are subject to the same substantive obligations.

The 5 DORA pillars you need to understand

1. ICT risk management

DORA requires the implementation of a documented ICT risk management framework, subject to regular testing and review. This framework must cover the identification of critical assets, protection, incident detection, response and recovery. Senior management is directly accountable: DORA requires governing bodies to approve the framework and monitor its implementation — this is no longer purely a technical matter, it is a governance one.

For a broker or insurer, this means in practice:

• Mapping all critical systems (CRM, underwriting tools, policy administration platforms, client portals)
• Defining clear procedures in the event of a system outage or cyberattack
• Updating the framework at least annually

A portfolio management platform centralises all policy data, flows between brokers and insurers, and policy lifecycle events. This centralisation is an essential starting point for the critical asset mapping required by DORA. Brokers and insurers operating on a structured platform already have a documented, traceable and auditable foundation — a significant trust advantage with both partners and the regulator.

2. ICT-related incident management and reporting

DORA introduces a mandatory obligation to report major ICT-related incidents to the competent supervisory authority — in the UK, this would be the FCA or PRA. Timelines are strict: initial notification within 4 hours, an intermediate report within 72 hours, and a final report within one month. The definition of a "major" incident is based on specific criteria: criticality of the affected system, duration of the disruption, number of impacted clients, and volume of data compromised.

These incident scenarios are precisely the moments when internal organisation comes under the greatest strain. Incident management demands a rapid and well-documented response: which policies, which clients and which data flows are affected? A well-structured insurance platform makes it possible to answer these questions in minutes rather than hours — a decisive advantage for meeting the deadlines set by supervisory authorities. Access logs and audit trails also provide a valuable evidential record for post-incident reporting.

3. Digital operational resilience testing

DORA distinguishes between two levels of requirement:

• Basic testing (vulnerability assessments, source code reviews, business continuity tests): mandatory for all in-scope entities
• Threat-Led Penetration Testing (TLPT): reserved for entities designated as most critical by supervisory authorities

For the majority of MGAs and delegated underwriters, it is basic testing that applies. These tests must be documented, results analysed and remediation plans implemented. Working with a software provider that documents its continuity procedures, publishes its SLAs and submits to regular audits already addresses a significant proportion of DORA's requirements under this pillar.

4. ICT third-party risk management

This is arguably the most structurally significant pillar. DORA imposes rigorous oversight of all third-party ICT service providers: cloud providers, SaaS vendors, data centre operators. Concrete obligations include:

• Maintaining a comprehensive and up-to-date register of all ICT third-party providers
• Assessing their performance and ability to guarantee service continuity
• Incorporating specific contractual clauses (audit rights, exit plans, appropriate SLAs)
• Identifying critical or concentrated dependencies and establishing realistic exit strategies

Your policy administration solution almost certainly qualifies as a critical ICT third-party service provider. As such, the software vendor you choose must supply the documentation you need to support your DORA compliance: architecture documentation, security policy, business continuity plan and audit conditions. This is one of the criteria against which carrier partners will assess their delegated partners in the months ahead — and it should inform your technology decisions now.

5. Information and intelligence sharing

DORA encourages the sharing of cyber threat intelligence across the financial sector. The rationale is straightforward: the more the sector shares what it observes, the better placed it is to strengthen collective resilience against digital risk. A shared insurance platform used by multiple participants — insurers, MGAs, delegated underwriters — naturally creates a trusted environment conducive to this kind of intelligence sharing, without exposing confidential data.

What DORA actually changes for MGAs and delegated underwriters

MGAs and delegated underwriters face a dual compliance challenge under DORA. On one side, carrier partners will require them to demonstrate compliance — particularly around the security of shared systems, data protection and incident notification capabilities. On the other, those that have built their own technology must ensure it meets the regulation's requirements.

Consider a practical example: a delegated underwriter managing group life and protection policies for several carrier partners simultaneously uses a SaaS underwriting tool, a cloud hosting provider and a reporting platform. Each of these service providers must now be registered, assessed and governed contractually in line with DORA's requirements. This is not a formality — it is a substantive programme of work that requires rigorous organisation and clearly defined relationships with each provider.

This transformation of working practices will not happen overnight, but it is inevitable. The priority areas to address are:

• Precise mapping of data flows between the broker, carrier partners and distribution partners
• Systematic review of contracts with ICT service providers and hosting partners
• Implementation of an internal process for qualifying and reporting incidents
• Training for all teams — including non-technical staff — on the procedures to follow in incident scenarios
• Regular documentation of compliance measures to satisfy the requirements of the supervisory authority and carrier partners

AI and DORA: an opportunity to accelerate

AI is often perceived as an additional layer of complexity in an already demanding DORA environment. In practice, the opposite is true: when properly embedded within a management platform, it becomes a genuine lever for compliance.

It enables faster detection and qualification of incidents, automates monitoring of the ICT third-party provider register, and reduces the documentation burden on compliance teams. For leaner organisations, this is often the only realistic way to meet the deadlines set by the supervisory authority without committing dedicated resource.

The key is to avoid proliferating tools, each additional solution becomes another service provider to manage under DORA. An integrated insurance platform with native AI modules addresses this challenge directly: fewer dependencies, centralised audit trails, and a simpler compliance case to make.

Where to start on the path to compliance?

DORA compliance is not insurmountable when approached methodically. Handled well, this internal transformation can become a competitive differentiator. The key steps are:

1. Carry out a gap assessment: critical systems, ICT third-party providers, existing processes
2. Map the gaps against the regulation's requirements, pillar by pillar
3. Prioritise workstreams by risk level and realistic timelines
4. Update contracts with third-party service providers to incorporate DORA-specific clauses
5. Train teams on incident identification and escalation procedures
6. Document each step to demonstrate compliance to the supervisory authority and carrier partners
7. Schedule resilience testing and track remediation plans

Relying on a policy administration platform that has DORA built into its design significantly reduces the compliance burden across the most structurally demanding pillars. Visit our website to find out more.

Getting ahead of DORA

For firms that embrace it, DORA also represents an opportunity to strengthen their market position. The confidence that insurers place in their delegated partners is increasingly grounded in objective criteria of operational resilience, and DORA provides the framework for demonstrating exactly that.

DORA compliance is progressively becoming a selection criterion in RFP processes, delegated authority renewals and carrier negotiations. The first wave of enhanced supervisory scrutiny will rapidly bring the regulation's implications into sharp focus and those who are behind will find themselves in a difficult position both with the regulator and with their partners.

This is no longer a question of "if" but "when". At Korint, we support MGAs, delegated underwriters and insurers in structuring their processes and making the most of technology tools suited to their regulatory constraints. Our platform is designed to meet DORA's requirements while remaining straightforward to use day-to-day, because we believe that compliance, properly supported by the right tools, becomes a driver of operational efficiency, not an obstacle to it.