Skip to main content
DORA Auditor

DORA for Insurance & Reinsurance Undertakings

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

Insurance and reinsurance undertakings, and certain insurance intermediaries, are within DORA's scope under Article 2. They must implement the ICT risk-management framework, classify and report major ICT incidents, test operational resilience, and manage ICT third-party risk, supervised by EIOPA and national authorities. DORA has applied since 17 January 2025.

Who exactly is covered

DORA covers insurance and reinsurance undertakings under Solvency II, and insurance, reinsurance and ancillary insurance intermediaries, with an exemption for intermediaries that are microenterprises or small/medium enterprises meeting the regulation's criteria.

What bites hardest

Proportionality for intermediaries

Smaller intermediaries benefit from exemptions and a simplified ICT risk-management framework. Larger insurers should expect full application. Use the readiness score to gauge your gaps.

Frequently asked questions

Are insurance intermediaries in scope of DORA?
Which authority supervises DORA for insurers?
Does DORA replace Solvency II ICT expectations?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)