DORA in insurance: Lean implementation, clear priorities

Many EUC tools (still) don’t meet DORA – is the next audit failure looming?

Written on 07/08/25

Visual of Dea Dubovci, Dr Mischa Pupashenko from Cominia Aktuarielle Services, displaying title "DORA in insurance"

This white paper was contributed by Dea Dubovci and Mischa Pupashenko from Cominia Aktuarielle Services. You can download the German PDF here.

With the EU's Digital Operational Resilience Act (DORA) in force since 17 January 2025, a new regulatory era has begun for banks, insurers, and financial service providers. The aim is to establish a uniform, EU-wide framework for digital operational resilience – that is, the ability to remain functional despite cyberattacks, system failures, or third-party outages.

For German insurers, DORA means not only a tightening of existing IT requirements but also the de facto phasing out of VAIT (Supervisory Requirements for IT in Insurance Undertakings), which were established by the BaFin in the context of Solvency II. With DORA, directly applicable EU law now takes center stage, affecting not only IT departments but the entire company – especially the risk management and actuarial functions. A holistic risk management approach is crucial for sustainable DORA implementation. It must involve all relevant areas and break down silo thinking.

The shift to European regulation doesn't happen automatically – it requires proactive action. Even companies that are still in the early stages of implementation now have the opportunity to catch up swiftly and gain both regulatory and operational certainty.

From VAIT to DORA: What’s New?

DORA builds on existing standards such as VAIT, MaRisk (Minimum Requirements for Risk Management), and EIOPA's ICT Guidelines but goes significantly further. The requirements for:

ICT risk management,
Handling, classifying, and reporting ICT-related incidents,
Managing ICT third-party risks, and
Testing digital operational resilience

are not only more specific, but now legally binding and harmonized at EU level.

Crucially, DORA applies not only to traditional IT systems but to all ICT services, including shadow IT and decentralized in-house developments – especially EUC applications (End-User Computing tools), which are commonly used in risk management and actuarial functions.

Gap Analysis as a Pragmatic Starting Point

Many insurers have already documented IT processes under Solvency II and VAIT, including for EUC tools. Nonetheless, it is recommended to start the DORA implementation with a focused gap analysis comparing current practices with the core DORA requirements. This helps identify weaknesses early and derive targeted, prioritized actions. Key aspects to assess include:

Methodology for identifying critical processes and ICT services
Establishment of a board-approved ICT risk management framework
Documentation of outsourcing and third-party relationships, especially the information register
Business continuity components such as emergency planning and recovery testing
Reporting processes for major ICT incidents (internal and external)

For risk management, actuarial teams, and IT, this means: identify gaps early, establish governance, assess risks, and create documentation. Now is the time for strategic positioning.

EUC in Use: Expanded Obligations, Tighter Controls

There is particularly strong pressure to act in risk management and actuarial departments. The EUC tools used there – such as Excel tools, Access databases, or self-developed scripts – are often critical for reserve calculations, Solvency II, pricing, and regulatory financial reporting. Although risk management structures generally exist, in practice many EUC tools are still not integrated into a formalized risk management framework. This presents an opportunity to close gaps in documentation, testing, and auditability, thereby strengthening operational resilience.

Under DORA, RTS Risk Management (Art. 16(9)) eliminates the previous VAIT special treatment of EUC and puts in-house EUC tools and purchased standard software on an equal regulatory footing.

As a result, all EUC applications developed outside the IT function, including those in business departments, are now subject to the same strict audit and documentation obligations as central IT systems.

DORA introduces, for the first time, binding, comprehensive requirements for the secure use of EUC tools – far beyond what VAIT required: All EUC solutions must be thoroughly inventoried, documented, and subjected to complete lifecycle management. This includes mandatory source code reviews, regular vulnerability management, consistent tracking of actions, and a fundamental abstention from using production data in test and development environments. Third-party and open-source components must also be reviewed and documented before use.

In June 2024, BaFin already highlighted in its supervisory statement “Notes on Implementing DORA in ICT Risk and Third-Party Risk Management” that the previous “special treatment of EUC” would be abolished. This means all in-house solutions will now face more extensive and stricter audits. Business applications will be subject to the same standards as central IT systems, significantly increasing the compliance burden for self-developed tools.

DORA puts EUC tools in the spotlight – they must now be assessed, secured, and governed like any other ICT system. Companies failing to establish a consistent EUC governance system risk regulatory sanctions and significant operational risks.

Streamlined Implementation: Focus on Value, Not Formalism

DORA shifts the focus to the actual effectiveness of measures. The key is to allocate resources strategically to protect essential risks – not to get lost in excessive documentation. A risk-based, pragmatic approach should include:

Criticality as a steering factor: Rather than applying full documentation requirements to every non-critical application, companies should focus on those essential to business continuity, regulatory reporting, or key customer processes. For instance, an actuarial core system for reserves may require full risk analysis, including source code review and regular audits. By contrast, an internal analysis tool might be managed with a lean standard process.

Gradual standardization: Introducing uniform, lean templates for risk analyses, outsourcing contracts, and EUC documentation enables efficient and consistent processing. A well-structured EUC risk analysis questionnaire that can be directly used in business departments is a practical tool to reduce effort and ensure compliance.

Leveraging synergies: Many DORA requirements can be smoothly integrated into existing management systems such as Risk Management (Solvency II, MaRisk, ISO 31000), Information Security Management (ISO 27001), or Business Continuity Management (ISO 22301). Existing emergency tests can be extended to include DORA-relevant ICT scenarios without building parallel structures. A holistic risk management approach is key, integrating all areas of the organization and eliminating silos.

Practical exception rules: Even under DORA, the use of production data in test environments is possible – but only through a formal, traceable approval process. A digital approval workflow, e.g., via a ticket system, can offer a simple and effective solution here.

From Regulatory Pressure to Opportunity: Using DORA to Gain Competitive Advantage

DORA is no longer just a future issue – it’s the present. It also offers the opportunity to identify operational weaknesses, standardize processes, and raise enterprise-wide risk awareness.

A lean, risk-oriented implementation of DORA focuses on actual risk mitigation and sustainable resilience building. What matters is that the measures have practical impact – not that they devolve into bureaucratic formalism.