17 January 2025 is the date EU Regulation 2022/2554 on digital operational resilience (DORA) became fully applicable for banks, insurers and financial-market operators in the Union. More than a year after entry into force, Italian insurers are completing the operational consolidation of required processes. This article describes what has actually changed in day-to-day ICT-risk management for a mid-sized insurer and what concrete evidence IVASS expects during an inspection.
Context: why DORA, why now
Before DORA, EU regulation on financial-sector ICT resilience was fragmented: EBA outsourcing guidelines (2019), EIOPA cybersecurity guidelines (2020), ESMA cloud guidelines (2021), plus national rules (in Italy: IVASS Reg. 38/2018 on corporate governance, Reg. 24/2018 for surety, IVASS 2019 Communication on cloud). Every authority asked similar things but in different languages and formats.
DORA replaces all this stratification with a harmonised framework directly applicable (regulation, not directive — so no national transposition needed). For Italian insurers the change was not replacing existing processes, but reorganising them under the 5 DORA categories, in EU-standardised language and formats.
The five DORA pillars in practice
1. ICT risk management framework (art. 5-15)
Documented ICT-risk management framework with: governance (Board responsibility, CISO/security officer role), ICT asset identification and classification, business impact analysis, protection policies (access, encryption, vulnerabilities), backup and tested disaster recovery. It is the "umbrella" holding everything together. For those coming from IVASS Reg. 38/2018, much is existing material to be re-categorised into DORA chapters.
2. Incident reporting (art. 17-23)
Technical classification of ICT incidents per EU RTS 2024/1772 criteria (duration, geographic spread, data losses, service criticality, reputational impact, etc.) and mandatory notification to IVASS of "major incidents" within precise time-frames. See dedicated section below.
3. Resilience testing (art. 24-27)
Annual resilience-testing programme proportionate to size: penetration tests, vulnerability assessment, scenario-based testing on business continuity, end-to-end testing of disaster-recovery plans. Significant insurers face the additional obligation of TLPT (Threat-Led Penetration Test), advanced red-team test based on TIBER-EU framework, with triennial cadence.
4. Third-party risk (art. 28-44)
Register of all ICT providers (not only "outsourcings" in the strict sense), concentration-risk assessment, tested exit strategies, continuous monitoring. "Critical ICT third-party providers" can be designated directly by the ESAs (EBA, EIOPA, ESMA) for EU-level oversight — currently designation concerns very few hyperscalers; it will extend in coming years.
5. Information sharing (art. 45)
Participation (optional but encouraged) in cyber-threat information sharing among financial operators. For Italian insurers the reference is CERTFin (at ABI Lab) and ENISA at EU level.
The third-party register: what's inside, in what format
The register is probably the most recurrent evidence in DORA inspections. The structure is standardised by EU Regulation 2024/2956 (RT ESA — Register Template): every entry contains 14 sections with provider registry data, service description, criticality, substitutability level, country of execution, sub-outsourcing if any, SLA, DORA contractual conditions, audit rights.
For a mid-sized insurer the typical register includes 40-80 entries: PAS provider (e.g. NewPicass 14.Net), cloud provider (AWS, Azure, Google Cloud), email and collaboration software (Microsoft 365), CRM, actuarial and reinsurance systems, electronic-signature gateway, AgID digital preserver, antifraud provider, credit-rating systems (Cerved, CRIF), SEPA payment gateway, and so on.
The PAS is almost always classified as "ICT provider supporting essential functions" (policy operations, claims, technical accounting). It goes in the register with detailed description, concentration-risk assessment, documented exit strategy (how long it takes to replace the PAS and how it's done), contractual audit rights. The DORA minimum contractual conditions are stringent: the PAS vendor must grant access rights and audit rights to the ESAs, not just to the insurer client.
Incident reporting: what, to whom, how fast
Not all incidents have to be reported. "Major" classification is based on 7 quantitative criteria from EU RTS 2024/1772: affected clients, duration, geographic spread, data losses, criticality of affected services, economic loss, reputational impact. Thresholds exceeded on at least 2 of the 7 criteria are needed (simplifying — there are more articulated sub-rules).
For incidents classified as major:
- Initial notification within 4 hours of classification (max 24h from detection), via dedicated IVASS portal.
- Intermediate report within 72 hours with additional details (investigated causes, estimated impact, mitigation actions).
- Final report within 1 month with full root cause analysis, actual impact, lessons learned, framework improvements.
Significant cyber threats (even if not resulting in an actual incident) can be notified on a voluntary basis. Advantage: you enter an information-sharing flow with peers and authorities that often returns useful intel quickly.
What changes if you use a cloud PAS
Those using a cloud PAS (both multi-tenant SaaS like NewPicass 14.Net and private cloud) under DORA have specific additional responsibilities:
- Enhanced due diligence. Assessment of the PAS provider + underlying cloud provider (if different): ISO 27001, SOC 2 audits, AgID attestations, cybersecurity certifications, recent penetration-test evidence.
- Concentration risk. If the underlying cloud provider (e.g. AWS) also hosts other critical insurer services, there is a concentration to monitor. The regulation does not forbid concentration but requires awareness and mitigations (e.g. multi-region deploy, exit plan).
- Continuous monitoring. Declared vs actual SLA, proactive alerts on performance degradation, availability KPI dashboards.
- Tested exit strategy. Knowing in the abstract that you can change PAS is not enough: you need to have executed (or at least simulated) a full data extraction, assessed real migration time, identified alternative market providers.
What to have ready for a DORA inspection
IVASS inspections under DORA are standardising on a set of evidence packs requested at inspection opening:
- ICT risk management framework documented, dated, Board-approved. Includes security policies, governance scheme, role/responsibility mapping.
- Asset inventory and business impact analysis: systems → business processes → criticality (RTO/RPO) mapping.
- Third-party register in RT ESA format up to date (latest ESA transmission), with focus on critical providers.
- Incident log for the last 12 months with applied classification, evidence of notifications made (or reasoning for non-notification).
- Test plan for the current year, evidence of the latest executed test (penetration test, BCP test, DR test), action plan from findings.
Missing one of these five already makes the position difficult; missing two or more exposes you to formal findings and possible sanctions. Good news: these materials are structural, not producible overnight. Insurers that completed setup in 2024 have by now consolidated them as part of normal compliance operations.
Frequently asked questions
Does DORA apply to small insurers or only the large ones?
DORA applies to all EU insurance and reinsurance undertakings regardless of size — but with a proportionality principle: technical obligations scale with ICT-risk complexity. For Solvency II micro-undertakings and small insurers there are significant simplifications on TLPT, third-party register management and test frequency. Proportionality does not reduce substantive duties (ICT risk framework, incident reporting, governance) but adapts how to implement them.
Do I have to report ALL ICT incidents to IVASS?
No, only those classified as 'major' per the EBA/EIOPA/ESMA technical criteria of EU RTS 2024/1772. Classification is based on 7 criteria (duration, geographic spread, data losses, service criticality, reputational impact, etc.) with quantitative thresholds. Minor incidents stay in internal logs; major incidents are notified to IVASS within 4 hours of classification, with intermediate report within 72h and final report within 1 month.
Is my cloud PAS provider considered a 'critical third-party'?
It depends. Criticality is the insurer's own assessment: the PAS is normally an ICT provider 'supporting essential or important functions'. It goes in the third-party register and — if the insurer deems it critical — applies enhanced requirements (concentration risk assessment, tested exit strategy, continuous SLA monitoring). European authorities maintain an EU register of 'critical ICT third-party service providers' that can be designated at supranational level (currently limited to very few hyperscale providers).
What does it really take to pass a DORA inspection from IVASS?
DORA inspections substantially verify 5 evidence packs: (1) documented ICT risk management framework with clear responsibilities, (2) ICT asset catalogue and mapped business processes, (3) updated third-party register reported in ESA format, (4) incident policy + log with applied classification, (5) resilience testing plans with results of the latest executed test. Without these five, demonstrating compliance is practically impossible.
Does DORA change anything compared to the pre-existing IVASS Reg. 38/2018?
Yes, quite a bit. Reg. 38/2018 and IVASS outsourcing guidelines (transposing EBA Guidelines 2019) covered part of DORA's scope (outsourcing, data security, BCP), but DORA is more systemic and prescriptive: introduces TLPT (advanced red-team-like penetration tests), centralised EU-level incident reporting, third-party register in standardised format (RT ESA), direct ESA oversight on critical providers. Insurers must align existing frameworks, not rebuild from scratch.
When do I have to execute TLPT (Threat-Led Penetration Test)?
Only significant insurers (typically: systemically important undertakings or those with high exposure on critical ICT services) are subject to mandatory TLPT, with minimum triennial cadence. Smaller insurers remain required to run resilience-testing programmes scaled to their complexity — classic penetration tests, vulnerability assessment, scenario-based testing — but not formal TIBER-EU TLPT.