DORA for Insurance & Reinsurance Undertakings
Insurance and reinsurance undertakings, and certain insurance intermediaries, are within DORA's scope under Article 2. They must implement the ICT risk-management framework, classify and report major ICT incidents, test operational resilience, and manage ICT third-party risk, supervised by EIOPA and national authorities. DORA has applied since 17 January 2025.
Who exactly is covered
DORA covers insurance and reinsurance undertakings under Solvency II, and insurance, reinsurance and ancillary insurance intermediaries, with an exemption for intermediaries that are microenterprises or small/medium enterprises meeting the regulation's criteria.
What bites hardest
- Consolidating ICT and outsourcing governance under one framework.
- Building the register of information across a typically long tail of ICT vendors.
- Harmonised incident reporting, replacing sector-specific practices.
Proportionality for intermediaries
Smaller intermediaries benefit from exemptions and a simplified ICT risk-management framework. Larger insurers should expect full application. Use the readiness score to gauge your gaps.
Frequently asked questions
Are insurance intermediaries in scope of DORA?
Many are, but microenterprises and qualifying small/medium intermediaries are exempt under Article 2(3).
Which authority supervises DORA for insurers?
National competent authorities, with EIOPA as the relevant European Supervisory Authority for the insurance sector.
Does DORA replace Solvency II ICT expectations?
DORA sets the directly applicable ICT resilience rules; it operates alongside Solvency II governance and risk-management requirements.