DORA ICT Risk Management Framework: What Cyber Insurance Underwriters Must Know in 2026

If you underwrite cyber insurance for European financial institutions, the DORA ICT risk management framework is no longer a future consideration — it is an active compliance reality reshaping how your clients operate, report incidents, and manage third-party technology risk. Since the Digital Operational Resilience Act (DORA) became applicable on 17 January 2025, every in-scope entity has been required to demonstrate compliance with its five pillars of operational resilience.

For underwriters, DORA compliance in the financial sector represents both a risk clarification tool and a coverage challenge. Entities that have implemented DORA’s requirements rigorously present a quantifiable, testable ICT risk posture. Those that have not — or that have gaps in their third-party oversight — carry concentrated exposures that directly affect loss probability.

This guide breaks down the DORA ICT risk management framework pillar by pillar, translates each requirement into actionable underwriting intelligence, and provides the specific questions you should be asking financial sector clients in 2026.

What Is DORA? The EU Digital Operational Resilience Act Explained

The Digital Operational Resilience Act (DORA) — formally EU Regulation 2022/2554 — is a landmark piece of European financial regulation that establishes a comprehensive and harmonised framework for ICT risk management across the financial sector. Published in the Official Journal of the European Union on 14 December 2022, DORA entered into force on 16 January 2023 and became directly applicable across all EU Member States on 17 January 2025.

Unlike directives that require national transposition, DORA is a regulation. This means it applies uniformly across the EU, eliminating the regulatory fragmentation that previously allowed financial entities to face different ICT risk requirements depending on their Member State of establishment.

Why DORA Matters for Cyber Insurance Underwriting

DORA fundamentally changes the risk landscape for financial institutions in several ways that directly affect underwriting:

• Mandated resilience testing: Entities must conduct advanced testing of their digital operational resilience, including threat-led penetration testing (TLPT) for systemically important players.
• Third-party concentration risk: DORA requires financial entities to map, monitor, and manage ICT concentration risk from critical third-party service providers — a major loss driver in recent cyber events.
• Standardised incident reporting: A unified classification and escalation framework reduces reporting ambiguity and creates a more consistent data trail for underwriters.
• Board-level accountability: Senior management and management bodies bear direct responsibility for ICT risk governance, increasing organisational focus on cyber hygiene.

For underwriters, these requirements generate a richer, more structured risk signal — one that can be systematically evaluated during the underwriting process.

The 5 Pillars of the DORA ICT Risk Management Framework

DORA is structured around five core pillars, each corresponding to a chapter of the regulation. Together, they form an integrated framework designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions. Understanding these pillars is essential for any underwriter assessing cyber risk in the European financial sector.

Pillar 1: ICT Risk Management Governance and Framework (Chapter II)

The first pillar establishes the foundational ICT risk management framework that every in-scope financial entity must implement. Under Articles 5–16 of DORA, entities are required to:

• Define, implement, and maintain an ICT risk management framework proportionate to their size, complexity, and risk profile.
• Identify, classify, and document all ICT-supported business functions, processes, and assets.
• Implement protection and prevention measures including identity management, access controls, cryptography, and network segmentation.
• Maintain business continuity and disaster recovery plans that explicitly address ICT disruption scenarios.
• Establish an ICT risk management function that operates independently from ICT operations and reports directly to the management body.

The European Supervisory Authorities (EBA, EIOPA, and ESMA) published the final Regulatory Technical Standards (RTS) on ICT risk management in July 2024, providing granular guidance on how the framework should be structured, including the requirement for a strategy on ICT risk management that is approved by the management body.

Underwriting Questions for Pillar 1

When evaluating a financial sector client’s ICT risk management governance, underwriters should ask:

1. Has the entity documented a complete ICT risk management framework approved by its management body? Request a summary of the framework structure and the date of the most recent board-level review.
2. Is the ICT risk management function operationally independent from IT operations? Independence is a core DORA requirement — conflating risk oversight with delivery creates blind spots.
3. Can the entity produce a current ICT asset inventory covering all business-critical systems and data flows? An incomplete asset register is a red flag for both DORA compliance and cyber exposure.
4. What is the frequency of ICT risk assessment reviews, and when was the most recent assessment completed?
5. How does the entity classify ICT risk — and does the classification align with the proportionality principle under DORA?
6. Are business continuity and disaster recovery plans tested at least annually, with results documented and remediation tracked?
7. What identity and access management controls are in place for privileged accounts and critical systems?

Pillar 2: ICT-Related Incident Management, Classification, and Reporting (Chapter III)

The second pillar governs how financial entities detect, manage, and report ICT-related incidents. Under Articles 17–23, DORA introduces:

• A standardised incident classification system based on severity criteria (number of affected clients, downtime duration, geographic spread, economic impact).
• A tiered incident reporting obligation to the relevant competent authority, with initial notifications within 4 hours of classification as a major incident, followed by intermediate and final reports.
• Requirements for incident detection, triage, and escalation procedures.
• Obligations to communicate relevant incident information to affected clients and counterparties where the incident may cause harm.

For underwriters, this pillar is particularly significant because it creates a structured, regulator-facing incident record. Entities with mature DORA incident management will have detailed incident logs, root cause analyses, and remediation evidence — all of which are invaluable for claims analysis and pricing.

Underwriting Questions for Pillar 2

1. Can the entity describe its ICT incident classification methodology and how it determines “major incident” status?
2. What is the entity’s track record of DORA-reportable incidents since January 2025? Request de-identified incident summaries if confidentiality is a concern.
3. Does the entity have an automated incident detection capability, or does it rely primarily on manual processes?
4. What is the average mean time to detect (MTTD) and mean time to respond (MTTR) for ICT incidents?
5. How does the entity ensure the 4-hour major incident notification deadline is met? Ask about escalation chains and after-hours coverage.
6. Are post-incident reviews conducted for all significant events, with lessons-learned documented and fed back into the risk management framework?
7. Has the entity experienced any incidents related to the same root cause in a 12-month period? Recurring root causes indicate systemic governance gaps.

Pillar 3: Digital Operational Resilience Testing (Chapter IV)

The third pillar requires financial entities to regularly test their digital operational resilience through a structured programme that includes both theoretical assessments and hands-on exercises. Articles 24–27 mandate:

• A resilience testing programme encompassing vulnerability assessments, open-source analyses, network security assessments, physical security reviews, and end-to-end testing of critical business services.
• Threat-Led Penetration Testing (TLPT) for entities classified as significant by their competent authority. TLPT must be conducted at least every three years by qualified internal or external testers, using realistic threat scenarios informed by threat intelligence.
• Testing results must be reported to the competent authority, with remediation plans tracked to completion.

TLPT is a critical innovation for underwriters because it provides a structured, scenario-based assessment of how well an entity can withstand sophisticated cyber attacks — directly analogous to the types of events that trigger cyber insurance claims.

Underwriting Questions for Pillar 3

1. Does the entity maintain a digital operational resilience testing programme that covers all ICT-supported critical business functions?
2. Is the entity subject to TLPT requirements? If yes, request the date of the most recent TLPT and a high-level summary of findings (redacted as necessary).
3. Who conducts the entity’s penetration testing — internal teams, external firms, or both? What certifications do the testers hold (CREST, OSCP, or equivalent)?
4. What is the entity’s vulnerability management lifecycle — how quickly are critical and high-severity vulnerabilities remediated?
5. Are red team / blue team exercises conducted, and do they include scenarios relevant to the entity’s specific threat landscape (e.g., ransomware, supply chain compromise, insider threat)?
6. Has the entity experienced any material findings in resilience testing that were not remediated within the agreed timeline?
7. Does testing extend to cloud environments, APIs, and third-party integrations — or is it limited to on-premises infrastructure?

Pillar 4: Third-Party ICT Risk Management (Chapter V)

The fourth pillar addresses what many consider the most challenging aspect of DORA compliance: managing ICT risk from third-party service providers. Articles 28–44 establish:

• Requirements for financial entities to identify, assess, and monitor ICT concentration risk from third-party providers.
• Mandatory contractual provisions that must be included in agreements with ICT third-party service providers, including audit rights, incident notification obligations, and data processing terms.
• A register of information documenting all contractual arrangements with ICT third-party service providers, maintained in a format prescribed by the ESAs.
• Oversight mechanisms including the right to inspect, audit, and access data held by third-party providers.

For underwriters, third-party ICT risk is one of the most significant — and often underpriced — elements of cyber exposure. The CrowdStrike incident of July 2024, the SolarWinds supply chain compromise, and numerous cloud outages demonstrate that concentration in critical ICT providers can generate correlated losses across the financial sector.

Underwriting Questions for Pillar 4

1. Can the entity produce its register of ICT third-party service provider arrangements as required under DORA?
2. How many critical ICT third-party providers does the entity rely on, and what is the concentration profile? Identify the top 5 providers by criticality.
3. Do all contracts with critical ICT third-party providers include the mandatory provisions specified in DORA (audit rights, incident notification within defined timeframes, data localisation, exit strategies)?
4. Has the entity conducted a concentration risk assessment — and does it have a plan to mitigate excessive dependency on single providers?
5. What is the entity’s process for onboarding and periodically reassessing ICT third-party providers?
6. Does the entity have the contractual right to conduct or commission penetration testing of its critical third-party providers’ environments?
7. How does the entity monitor service level compliance from third-party providers — and what happens when SLAs are breached?

Pillar 5: Information Sharing Arrangements (Chapter VI)

The fifth and final pillar covers information sharing among financial entities to enhance collective digital operational resilience. Articles 45–46 establish:

• A voluntary framework for financial entities to share cyber threat intelligence and near-miss information through recognised information-sharing arrangements.
• Requirements that shared information be anonymised or pseudonymised to protect commercially sensitive data.
• Protection for participating entities — information shared within the framework cannot be used by competent authorities as the basis for supervisory action against the sharing entity.

While voluntary, participation in information-sharing arrangements is a positive signal for underwriters. Entities that actively share and consume threat intelligence tend to have faster detection capabilities and more informed risk management.

Underwriting Questions for Pillar 5

1. Does the entity participate in any DORA-recognised information-sharing arrangements (e.g., ISACs, threat intelligence consortia)?
2. How is shared threat intelligence ingested and operationalised within the entity’s ICT risk management processes?
3. Does the entity contribute its own threat intelligence to sharing arrangements, or does it only consume? Active contribution indicates deeper analytical capability.
4. What mechanisms are in place to ensure shared information is appropriately anonymised and that confidentiality obligations are met?

DORA ICT Risk Management Framework: Summary Table

The following table summarises the five pillars, their regulatory basis, and the key compliance deliverables that underwriters should look for.

Pillar	DORA Chapter	Key Articles	Core Requirement	Key Compliance Deliverables
ICT Risk Management	Chapter II	Art. 5–16	Comprehensive ICT risk management framework	ICT risk strategy, asset inventory, BCP/DR plans, independent risk function
ICT Incident Management	Chapter III	Art. 17–23	Incident classification, response, and reporting	Incident classification methodology, reporting procedures, incident logs
Resilience Testing	Chapter IV	Art. 24–27	Regular testing including TLPT for significant entities	Testing programme, TLPT reports, vulnerability remediation records
Third-Party ICT Risk	Chapter V	Art. 28–44	Third-party risk management and concentration oversight	Third-party register, contracts with mandatory provisions, concentration risk assessment
Information Sharing	Chapter VI	Art. 45–46	Voluntary sharing of cyber threat intelligence	Evidence of ISAC/consortia participation, intelligence integration processes

How DORA Affects Cyber Insurance Underwriting and Coverage Decisions

DORA compliance in the financial sector is not merely a regulatory checkbox — it has material implications for how underwriters should assess, price, and structure cyber insurance for in-scope entities. Here are the key areas where DORA intersects with underwriting practice.

Improved Risk Signal Quality

DORA requires financial entities to maintain structured, documented, and regularly tested ICT risk management processes. For underwriters, this means:

• Better data availability: Entities should be able to produce detailed documentation covering their ICT assets, incident history, testing results, and third-party dependencies — all of which inform exposure analysis.
• Standardised incident classification: The DORA incident taxonomy creates a common language for discussing loss events, improving the comparability of risk profiles across the financial sector.
• Tested resilience posture: TLPT and resilience testing results provide empirical evidence of how well an entity can withstand attack scenarios, moving the underwriting conversation beyond theoretical controls to demonstrated capability.

Concentration Risk Exposure

DORA’s third-party pillar explicitly requires entities to manage ICT concentration risk — but underwriters should recognise that the financial sector as a whole remains heavily concentrated on a small number of cloud providers, security platforms, and core banking system vendors. A single provider outage or compromise can generate losses across a large portfolio of financial sector insureds.

When underwriting for financial sector clients, consider:

• Whether aggregate exposure limits adequately account for ICT concentration risk across the portfolio.
• Whether the entity has multi-cloud or multi-vendor strategies that reduce single-point-of-failure risk.
• Whether the entity’s DORA-mandated concentration risk assessment identifies dependencies that could create correlated exposure.

Regulatory Fines and Penalties

While DORA itself does not create a standalone fining regime, national competent authorities can impose sanctions for non-compliance under existing sectoral legislation. Underwriters should clarify:

• Whether the cyber policy covers regulatory investigation costs arising from DORA compliance failures.
• Whether fines and penalties are covered to the extent permitted by applicable law.
• Whether the policy responds to third-party claims resulting from operational disruptions caused by DORA non-compliance.

Business Interruption Exposure

DORA’s emphasis on operational continuity and resilience testing should — in theory — reduce the probability and severity of ICT-related business interruption events. However, underwriters should be aware that:

• Testing that reveals material deficiencies does not eliminate the risk — it identifies it. Ask whether remediation has been completed.
• The proportionality principle means smaller entities may have less rigorous testing programmes, potentially creating undetected exposure.
• Third-party outages remain a significant BI risk even when the entity’s own resilience posture is strong.

DORA vs NIS2: What Underwriters Need to Know About Overlap and Differences

DORA is not the only EU cyber regulation reshaping the risk landscape. The NIS2 Directive (Directive (EU) 2022/2555) also imposes cybersecurity requirements on a range of sectors. For underwriters working across the European market, understanding the overlap and differences between DORA and NIS2 is critical.

Key Differences Between DORA and NIS2

Dimension	DORA	NIS2
Legal form	EU Regulation (directly applicable)	EU Directive (requires national transposition)
Scope	Financial sector entities (defined in Art. 2)	Essential and important entities across multiple sectors (energy, transport, health, digital infrastructure, etc.)
Primary objective	Digital operational resilience of the financial sector	Common level of cybersecurity across critical sectors
Incident reporting	Tiered reporting with 4-hour initial notification for major incidents	24-hour early warning, 72-hour incident notification, 1-month final report
Testing requirements	TLPT mandated for significant entities	Regular testing required; TLPT not specifically mandated
Third-party oversight	Comprehensive contractual and oversight requirements with register of arrangements	Supply chain security required; less prescriptive on contractual terms
Supervision	Financial supervisory authorities (EBA, EIOPA, ESMA)	National CSIRTs and designated competent authorities
Financial entities under NIS2	Exempt from NIS2 when DORA applies (Art. 4 NIS2)	N/A — DORA takes precedence for in-scope financial entities

Overlap and Implications for Underwriting

The critical point for underwriters is that financial entities subject to DORA are generally exempt from NIS2 obligations — DORA is considered the lex specialis (more specific law) for the financial sector. However, there are nuances:

• Mixed-activity groups: A financial conglomerate may have subsidiaries that fall under NIS2 (e.g., a data centre subsidiary classified as a digital infrastructure provider) while the parent falls under DORA.
• Third-country branches: EU branches of non-EU financial institutions may face different regulatory obligations depending on their structure and Member State.
• Competing timelines: NIS2 transposition deadlines vary by Member State (October 2024 deadline, with many Member States delayed into 2025-2026), while DORA has been applicable since January 2025.

For underwriters, the practical approach is to confirm which regulatory framework applies to each insured entity and evaluate compliance against the applicable standard. Use our NIS2 Checker Tool to help clients determine their NIS2 obligations and how they interact with DORA.

DORA Compliance Timeline and Enforcement Milestones

Understanding the compliance timeline is essential for underwriters assessing whether clients have had sufficient time to implement DORA requirements — or whether they remain in a transitional risk state.

Key Dates

Date	Milestone
14 December 2022	DORA published in the Official Journal of the European Union
16 January 2023	DORA enters into force
17 January 2025	DORA becomes applicable — full compliance required
July 2024	ESA final RTS on ICT risk management, incident reporting, TLPT, and third-party risk published
January 2025 onward	National competent authorities begin supervisory assessment of DORA compliance
2025–2026	First cycle of TLPT for significant entities; ongoing supervisory reviews and enforcement actions
2026 and beyond	Maturity of enforcement; potential for supervisory sanctions for persistent non-compliance

What Underwriters Should Assess in 2026

As of mid-2026, DORA has been applicable for over a year. Underwriters should expect:

• Full implementation of ICT risk management frameworks, incident management procedures, and third-party registers.
• At least one cycle of resilience testing completed, with results available for review.
• Active compliance monitoring by competent authorities, with potential enforcement actions publicly disclosed.
• Mature documentation that can be shared with insurers during the underwriting process.

Entities that cannot demonstrate substantive compliance by mid-2026 present elevated risk — both from a regulatory perspective and from the underlying ICT risk that DORA is designed to mitigate.

Sector-Specific Implications of the DORA ICT Risk Management Framework

DORA applies to a broad range of financial sector entities, but the specific compliance challenges — and underwriting considerations — vary by sub-sector.

Banking and Credit Institutions

Banks represent the largest category of DORA-in-scope entities and typically have the most mature ICT risk management practices. However, underwriters should note:

• Systemically important banks are subject to TLPT, which provides rich underwriting intelligence.
• Complex legacy technology stacks can create resilience testing challenges and undetected vulnerabilities.
• High reliance on third-party core banking platforms creates concentration risk that DORA’s third-party pillar seeks to address.

Insurance and Reinsurance Undertakings

Insurers face unique DORA challenges because their core business — risk underwriting — increasingly depends on data analytics, AI-powered pricing models, and digital distribution. Key considerations:

• Proportionality: Smaller insurers may apply simplified ICT risk management measures, but this should not translate to underwriting shortcuts. Assess the actual risk, not the regulatory minimum.
• Interconnection with Solvency II: DORA compliance interacts with operational risk requirements under Solvency II — ask whether the entity has integrated the two frameworks.
• Third-party reliance on insurtech platforms: Many insurers depend heavily on third-party policy administration and claims management systems.

Investment Firms and Asset Managers

Investment firms regulated under MiFID II are within DORA’s scope. Underwriting considerations include:

• Algorithmic trading systems create unique ICT risk profiles — resilience testing should cover trading platform continuity.
• Market data feeds are critical third-party dependencies that may not be obviously classified as ICT services.
• Regulatory reporting obligations (e.g., EMIR, MiFIR transaction reporting) create additional ICT resilience requirements.

Payment Institutions and Electronic Money Institutions

Payment service providers and e-money institutions are explicitly within DORA’s scope. These entities typically:

• Have high transaction volumes with low margins, creating significant business interruption exposure from even brief outages.
• Depend heavily on cloud infrastructure and third-party payment processing — concentration risk is acute.
• Face card scheme compliance obligations (PCI DSS) that intersect with DORA requirements.

Crypto-Asset Service Providers (CASPs)

Following the Markets in Crypto-Assets Regulation (MiCA), crypto-asset service providers authorised under EU law are also within DORA’s scope. Underwriting considerations:

• The crypto sector has a distinct threat landscape — smart contract exploits, bridge attacks, and wallet compromises are unique to this sub-sector.
• Many CASPs are early-stage companies with limited cybersecurity maturity relative to traditional financial institutions.
• Third-party dependencies on blockchain infrastructure providers create novel concentration risks.

Practical Underwriting Framework for DORA-Compliant Financial Sector Clients

To operationalise the intelligence from DORA’s five pillars, underwriters should integrate the following framework into their assessment process.

Step 1: Confirm DORA Applicability and Scope

• Verify that the entity is within DORA’s scope (refer to Article 2 for the full list of in-scope entities).
• Determine whether the entity is classified as “significant” by its competent authority (which triggers TLPT obligations).
• Confirm which competent authority oversees the entity’s DORA compliance.

Step 2: Evaluate Pillar-by-Pillar Compliance Maturity

Use the underwriting questions provided in each pillar section above to build a compliance maturity profile. Score each pillar on a simple scale:

• Mature: Full documentation, regular testing, evidence of continuous improvement, no material gaps.
• Developing: Core elements in place, some gaps in documentation or testing, remediation underway.
• Immature: Significant gaps, missing documentation, limited testing, or no evidence of board-level engagement.

Step 3: Assess Concentration and Systemic Risk

• Map the entity’s critical third-party dependencies and evaluate single-point-of-failure exposure.
• Consider the entity’s concentration risk in the context of your broader portfolio — are multiple insureds dependent on the same ICT providers?
• Evaluate whether the entity’s TLPT scenarios adequately test supply chain and third-party compromise.

Step 4: Calibrate Coverage and Pricing

• Use compliance maturity scoring to differentiate between entities — mature DORA compliance should support more competitive terms; immature compliance may warrant sublimits, exclusions, or premium loading.
• Consider whether policy wording adequately addresses DORA-specific scenarios, including regulatory investigation costs, third-party cascade failures, and business interruption from ICT resilience testing failures.
• Evaluate whether the entity’s DORA compliance reduces the need for certain coverage sublimits (e.g., if robust incident management is in place, first-party incident response costs may be lower).

Step 5: Monitor and Review

• DORA compliance is ongoing, not one-time. Build policy renewals around updated compliance evidence, new testing results, and changes in the entity’s third-party risk profile.
• Track enforcement actions and supervisory findings relevant to the entity’s sub-sector, as these may indicate emerging risk trends.

How Resiliently.ai Supports DORA and NIS2 Risk Assessment

At resiliently.ai, we provide tools and resources that help cyber insurance professionals navigate the complex intersection of DORA compliance, NIS2 obligations, and ICT risk management for the financial sector.

Free Tools for Underwriters and Brokers

• NIS2 Checker: Determine whether a client falls under NIS2, DORA, or both — and what that means for their cybersecurity obligations. Essential for scoping the regulatory framework that applies to each prospect.

• Cyber Risk Calculator: Quantify the potential financial impact of ICT disruption for financial sector entities, incorporating DORA-specific factors like third-party concentration risk and TLPT findings.

• Free NIS2 Compliance Checklist: A practical checklist that covers both NIS2 and DORA-aligned requirements. Use it as an underwriting due diligence tool or share it with clients to assess their readiness.

Why Underwriters Trust Resiliently.ai

We focus exclusively on regulatory cyber risk — the intersection of compliance obligations, operational technology, and insurable exposure. Our tools are designed by practitioners who understand that cyber insurance underwriting requires more than compliance checklists; it requires structured, evidence-based risk assessment.

Conclusion: DORA as an Underwriting Intelligence Framework

The DORA ICT risk management framework represents a fundamental shift in how the European financial sector manages, tests, and reports on digital operational resilience. For cyber insurance underwriters, it provides a structured, five-pillar lens through which to evaluate the ICT risk posture of financial sector clients.

In 2026 and beyond, underwriters who can fluently assess DORA compliance — who know which questions to ask, which documents to request, and which red flags to watch for — will be better positioned to write profitable business in the financial sector. Those who treat DORA as just another regulatory burden will miss the risk intelligence embedded in its requirements.

The five pillars of DORA — ICT risk management governance, incident management and reporting, resilience testing, third-party ICT risk management, and information sharing — collectively define what good looks like for financial sector cyber resilience. Use them as your underwriting framework, and you will have a clearer view of the risk than the market average.

Ready to assess your financial sector clients against DORA and NIS2 requirements? Start with our free tools:

• Check NIS2 applicability for your clients →
• Calculate cyber risk exposure for financial entities →
• Download the free compliance checklist →

Stay ahead of regulatory developments — subscribe to the resiliently.ai newsletter for weekly insights on DORA, NIS2, and their impact on cyber insurance underwriting across the European financial sector.