DORA Opened the Door to Insurance Transformation 

When the Digital Operational Resilience Act (DORA) came into effect in January 2025, it didn’t just impose another layer of compliance – DORA opened the door to transformation.  

DORA represents an opportunity for insurers to turn regulatory pressure into progress: to modernise technology governance, strengthen cyber resilience, and build greater trust with customers and regulators.  

Almost a year on, the industry is beginning to see how embedding digital resilience can create strategic advantages far beyond the compliance checkbox. 

This blog post explores:  

• Where implementation is still falling short 

• How leading insurers are moving from mere compliance to true digital resilience 

• Why management must get involved 

• How Sapiens can help 

What DORA Really Means for Insurers – Brief Overview  

Our previous blog post on DORA offers a solid overview.  

DORA, formally Regulation (EU) 2022/2554, was designed to bring consistency and accountability to how financial institutions, including insurers, manage ICT risk. Its purpose is to ensure that firms can withstand, respond to, and recover from operational disruptions caused by technology failures, cyberattacks, or third-party dependencies. For insurers, this has redefined what it means to be “resilient” in the digital age. 

Rather than focusing solely on data protection or cybersecurity, DORA demands a holistic approach – connecting technology governance with business continuity, vendor management, and strategic decision-making. It puts operational resilience at the same level of importance as financial solvency, signalling that technological risk is now business risk. 

The regulation also extends beyond the insurer’s walls. DORA holds insurers accountable for their third-party ICT service providers, including cloud platforms and fintech partners. This shift has driven many insurers to rethink outsourcing models, tighten contractual controls, and strengthen collaboration between compliance, IT, and procurement teams. 

Where Insurers Still Struggle – 3 Challenges  

Despite notable progress, many insurers are still grappling with the scale and complexity of DORA compliance. A recurring challenge lies in integrating ICT risk management across the entire organisation. Too often, resilience remains confined to IT or cybersecurity teams, when DORA expects it to be part of enterprise risk management and strategic planning. 

Data and documentation gaps are another persistent issue. Insurers may have implemented controls, but without comprehensive documentation, testing evidence, or audit trails, it is difficult to demonstrate compliance to supervisors. Boards, too, often lack access to actionable metrics on digital resilience, which limits their ability to exercise oversight effectively. 

Third-party risk oversight continues to test even mature insurers. Many are discovering hidden dependencies within their technology ecosystems, or realising that existing supplier contracts fall short of DORA standards. As supervisory scrutiny increases, insurers will need to ensure that oversight mechanisms are as strong as the controls they apply internally. 

Beyond Compliance: The Opportunity Ahead 

As the end of the first year of DORA approaches, the conversation is shifting from compliance to opportunity. Insurers who approached DORA as a catalyst for innovation are already seeing tangible benefits. Strengthened resilience frameworks are driving operational efficiency, reducing downtime, and enhancing customer trust.  

Greater visibility into third-party relationships is improving risk transparency and supplier performance. 

Some insurers are also using DORA to modernise legacy systems and governance models. By aligning resilience testing with transformation programs, they are achieving both regulatory assurance and digital agility. Others are leveraging DORA’s emphasis on threat intelligence to enhance cross-industry collaboration and build more proactive cybersecurity cultures. 

Ultimately, DORA offers insurers an opportunity to lead by example. Those who embed digital operational resilience into their organisational DNA will not only meet regulatory expectations, but also position themselves as trusted, adaptable, and future-ready players in an increasingly digital market. 

What DORA Means for Management 

DORA has become a catalyst for better governance for leadership teams. Boards and executives are now expected to take direct ownership of ICT risk and resilience, ensuring that these are embedded in corporate strategy rather than treated as operational afterthoughts.  

The regulation has elevated digital resilience to a board-level agenda item – one that demands visibility, accountability, and investment. 

Senior management must now oversee a comprehensive ICT risk management framework that aligns technology controls with business objectives. This includes mapping critical and important functions, identifying key dependencies, and assessing the potential impact of disruptions on customers and the wider market.  

Many insurers are using this as a chance to clarify their resilience priorities, streamline oversight, and strengthen cross-functional collaboration. 

Third-party management remains one of the most complex aspects of DORA. Insurers must maintain a detailed inventory of ICT service providers, evaluate their resilience posture, and ensure contracts include robust provisions for audit rights, incident reporting, and exit strategies. This has prompted many firms to improve supplier governance and invest in integrated risk monitoring tools. 

Incident management and reporting requirements have also reshaped internal processes. Insurers are developing faster, clearer escalation paths and establishing reporting channels that meet DORA’s strict regulatory timelines. Likewise, regular resilience testing, from disaster recovery exercises to threat-led penetration testing, has become a core element of operational strategy. 

Sapiens Can Help! 

Nearly a year after DORA came into effect, insurers are discovering that true compliance is not the end goal…it’s the starting point for lasting resilience. The regulation has redefined what good looks like in digital operations, governance, and customer protection. But its greatest value lies in its potential to drive cultural change, encouraging insurers to view operational resilience as a competitive advantage, rather than a compliance burden. 

By moving from reactive compliance to proactive confidence, insurers can transform DORA into a foundation for long-term success. 

Leading software providers like Sapiens empower insurers with a proven, cloud-based platform that’s robust, secure, and scalable. Not only is this essential to supporting DORA regulations, but it’s critical for achieving operational efficiency of the highest calibre, reducing costs and risks, and securing a competitive advantage.   

DORA is driving a surge of IT outsourcing by insurers to trusted DORA-compliant partners like Sapiens that can offer a seal of approval that their data will be handled with the utmost care and diligence. DORA compliance isn’t just a set of rules, but rather a symbol of dedication to the highest standards in data management.  

Sapiens is available to answer any questions its customers may have regarding DORA, or more generally about empowering your organisation to prepare for a new era of digital operational resilience. Contact us!