Regulatory Compliance

EU insurance sector faces intensified cyber oversight under DORA guidelines from IVASS

Friday, 12 December 2025 3:16AM UTC

The European Insurance sector must now enhance cyber incident detection, reporting, and third-party risk management following recent guidance from Italy’s IVASS and the broader implementation of the Digital Operational Resilience Act (DORA).

Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), which entered into force on 17 January 2025, has brought the EU insurance sector squarely within a harmonised framework designed to prevent, detect, respond to and recover from ICT-related incidents. According to the original report, the Italian insurance supervisory authority IVASS has moved quickly to translate DORA’s obligations into operational instructions for insurance and reinsurance undertakings and larger intermediaries, signalling a new regulatory emphasis on cyber resilience across the sector. ^[1]^[2]

IVASS’s initial guidance includes two Letters to the Market that set out obligations for prompt reporting of “major” cyber incidents and, on a voluntary basis, the reporting of cyber threats. The company said in a statement-like communication that insurers must follow specific timelines and content requirements when notifying authorities, and IVASS has provided reporting templates intended to standardise notifications and accelerate supervisory response. Industry advisories note that these measures mark a step-change in supervisory oversight of ICT incidents in insurance. ^[1]^[2]^[7]

Beyond incident reporting, IVASS’s instructions require firms to maintain a register of ICT contracts and to strengthen internal ICT risk-management frameworks. The DORA regulatory technical and implementing standards define criteria for incident classification, minimum content for reports and expectations for ICT risk-management governance, which supervisors will use to assess compliance. Industry data shows these technical standards are detailed and prescriptive, covering governance, testing, continuity and recovery arrangements. ^[1]^[4]

National supervisors across the EU are aligning their own instruments with DORA. For example, Luxembourg’s CSSF has issued Circular CSSF 25/882 to clarify requirements for the use of third-party ICT services and the submission of related information, reinforcing DORA’s focus on risks arising from external providers. At the EU level, the European Banking Authority’s oversight role is being used as the model for supervising critical ICT third-party providers, with powers to investigate, recommend measures and, where necessary, impose sanctions. These layers of oversight mean insurers must now manage both firm-level resilience and the resilience of key suppliers. ^[5]^[6]

Legal advisories and law firms summarising IVASS’s Letters emphasise practical implications: firms should review incident-detection and escalation procedures, ensure reporting templates and timelines are embedded in internal processes, map ICT contracts to support the required register, and test recovery plans against DORA’s expectations. The company claims that compliance will demand closer coordination between legal, IT, outsourced-provider managers and senior management. Supervisors will expect documented evidence of governance, testing and contractual controls. ^[3]^[7]

The direction of travel is clear: DORA establishes far-reaching, harmonised obligations that will increase supervisory scrutiny of cyber incidents and third-party risk across the European insurance sector. Firms that treat the IVASS letters as merely administrative will risk falling short of the technical standards and oversight regime described in the DORA texts; conversely, those that use the guidance to harden detection, reporting and third-party oversight will be better placed to meet supervisory expectations and reduce operational disruption. Practical steps now include updating incident-response playbooks to DORA templates, populating and maintaining an ICT-contracts register, and documenting end-to-end testing and recovery outcomes for scrutiny by supervisors. ^[1]^[4]^[5]^[3]

##Reference Map:

^[1] (JD Supra) - Paragraph 1, Paragraph 2, Paragraph 5, Paragraph 6
^[2] (IVASS media avviso) - Paragraph 1, Paragraph 2
^[3] (DLA Piper / Derisk Newsletter) - Paragraph 5, Paragraph 6
^[4] (DORA RTS/ITS overview) - Paragraph 3, Paragraph 6
^[5] (CSSF circular) - Paragraph 4, Paragraph 6
^[6] (EBA overview) - Paragraph 4
^[7] (CMS Law analysis of IVASS Letter) - Paragraph 2, Paragraph 5

Source: Noah Wire Services

More on this

https://www.jdsupra.com/legalnews/derisk-newsletter-november-2025-2889611/ - Please view link - unable to able to access data
https://www.ivass.it/media/avviso/lm-ivass-reporting-dora - IVASS, the Italian Insurance Supervisory Authority, has issued operational procedures for insurance companies and larger intermediaries to promptly report serious cyber incidents and, on a voluntary basis, cyber threats under the EU Digital Operational Resilience Act (DORA). Effective from 17 January 2025, DORA aims to enhance the resilience of the European financial system by establishing measures for the prevention, response, and recovery from cyber incidents. IVASS's guidelines provide detailed instructions on reporting protocols to ensure compliance with DORA's requirements.
https://www.dlapiper.com/en-es/insights/publications/derisk-newsletter/2025/insurance-sector-and-cybersecurity-ivass-publishes-initial-instructions-for-implementing-dora - DLA Piper discusses the implementation of the Digital Operational Resilience Act (DORA) in the insurance sector, focusing on the initial instructions published by IVASS. DORA, effective from 17 January 2025, introduces a new regulatory framework for digital operational resilience in the European cyber-financial sector. Insurance and reinsurance companies, along with relevant intermediaries, are now subject to these obligations. IVASS has issued two Letters to the Market outlining requirements for reporting serious cyber incidents and maintaining a register of ICT contracts, marking a new era of cyber surveillance for the insurance industry.
https://www.regulation-dora.eu/pdf/dora-rts-its-complete-overview.html - This comprehensive overview provides detailed information on the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) associated with the Digital Operational Resilience Act (DORA). Effective from 17 January 2025, DORA establishes a comprehensive framework for digital operational resilience for EU financial entities. The document includes a summary table of all RTS and ITS, specifying topics such as ICT risk management frameworks, criteria for classification of ICT-related incidents, and standards for reporting major incidents, among others. It serves as a valuable resource for understanding the technical standards underpinning DORA.
https://www.cssf.lu/wp-content/uploads/cssf25_882eng.pdf - The Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg has issued Circular CSSF 25/882, outlining requirements for the use of ICT third-party services by financial entities subject to the Digital Operational Resilience Act (DORA). Effective from 17 January 2025, DORA aims to harmonise and strengthen the digital operational resilience of the EU financial sector. The circular provides practical instructions on the submission of information and reporting related to the use of ICT third-party providers, complementing DORA by recalling general requirements regarding the use of ICT services provided by third parties.
https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act - The European Banking Authority (EBA) provides an overview of the Digital Operational Resilience Act (DORA), Regulation 2023/2554, which establishes a comprehensive framework for digital operational resilience for EU financial entities. DORA applies to all financial sector entities and introduces an EU oversight framework for critical ICT third-party providers. The EBA outlines its role in overseeing critical third-party providers, including conducting investigations, imposing penalties, and issuing recommendations, to ensure adequate monitoring of risks posed to the EU financial sector.
https://cms.law/en/ita/publication/ivass-letter-to-the-market-no.-31644-2025-reports-of-major-cyber-incidents-and-cyber-threats-pursuant-to-eu-regulation-2022-2554-dora - CMS Law provides insights into IVASS's Letter to the Market no. 31644/2025, which details the operational procedures for insurers and intermediaries to report major cyber incidents and cyber threats under the EU Digital Operational Resilience Act (DORA). Effective from 17 January 2025, DORA requires financial entities to report significant ICT-related incidents and, on a voluntary basis, relevant cyber threats. The letter specifies reporting timelines, content requirements, and provides templates for notifications, ensuring compliance with DORA's provisions.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative references the Digital Operational Resilience Act (DORA), which came into force on 17 January 2025. The JD Supra article was published on 11 December 2025, indicating timely reporting. The IVASS Letter to the Market, dated 14 February 2025, is cited, suggesting the content is based on recent developments. No evidence of recycled or outdated information was found. The narrative appears to be original and up-to-date. ([ivass.it](https://www.ivass.it/media/avviso/lm-ivass-reporting-dora?utm_source=openai))

Quotes check

Score: 9

Notes: The narrative includes direct quotes from the IVASS Letter to the Market, dated 14 February 2025. These quotes are consistent with the original document, confirming accurate reporting. No discrepancies or variations in wording were found. ([ivass.it](https://www.ivass.it/media/avviso/lm-ivass-reporting-dora?utm_source=openai))

Source reliability

Score: 9

Notes: The narrative originates from JD Supra, a reputable platform for legal and regulatory updates. The content is authored by professionals from DLA Piper, a well-established international law firm. The IVASS Letter to the Market, dated 14 February 2025, is an official document from the Italian Insurance Supervisory Authority, further enhancing the reliability of the information. ([ivass.it](https://www.ivass.it/media/avviso/lm-ivass-reporting-dora?utm_source=openai))

Plausibility check

Score: 9

Notes: The narrative discusses the implementation of DORA in the insurance sector, referencing official communications from IVASS. The information aligns with known regulatory developments and industry practices. No inconsistencies or implausible claims were identified. ([ivass.it](https://www.ivass.it/media/avviso/lm-ivass-reporting-dora?utm_source=openai))

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative provides accurate, timely, and original information regarding the implementation of DORA in the insurance sector, supported by reliable sources and consistent with known regulatory developments.

EU regulation
Cybersecurity
Insurance sector
Digital operational resilience