One year of DORA. What have we learned?
A year after the Digital Operational Resilience Act (DORA) officially came into force, the question for insurers is no longer if they are compliant, but what compliance looks like in practice.
On 19 March 2026, CIOs and IT leaders from across the sector gathered for a roundtable hosted by MeasureWorks and DEI. The conversation was refreshingly candid: while a vast amount of energy is being poured into ticking boxes, are organisations actually becoming more resilient?
In this blog, we explore how insurers are experiencing DORA on the ground and what is required to move beyond mere compliance toward genuine digital resilience.
“By gaining visibility into your supply chain and monitoring it continuously, you aren’t just compliant; more importantly, you ensure you aren’t caught off guard.” – Marcel Schipper, Sales Director at MeasureWorks
What is DORA?
The Digital Operational Resilience Act is an EU regulation designed to strengthen the digital resilience of the financial sector. It mandates the reporting of IT incidents, regular ethical hacking tests, and strict requirements for IT contracts with third-party providers.
Crucially, the scope extends far beyond the financial organisation itself. Insurers must maintain a firm grip on their critical supply chain partners; after all, a disruption at an IT provider can be just as catastrophic as an internal system failure. DORA has been officially in effect since January 2025.
The Impact of DORA
DORA requires more than just a list of critical suppliers. Where organisations previously categorised outsourcing partners as ‘critical’ or ‘important,’ the regulation now mandates the identification of critical functions.
Health insurer ONVZ took a practical approach using their core process model. “We identified all our functions and labelled a specific subset as critical,” explains Supplier Manager Jan-Dirk Rundervoort. DORA also introduced new requirements for the selection, contracting, and performance of IT service providers. ONVZ addressed this via an addendum to existing contracts, updated risk analyses, and a refreshed control framework. Furthermore, quarterly reports are now submitted to the Board of Directors, a step that wasn’t previously standard practice. “The Board never used to involve itself in procurement. We really had to drag them to the table,” says Rundervoort. “But we’ve succeeded in doing that now.”
The results are impressive. With a lean team, close coordination with the risk department, and an external partner providing a fresh perspective, 92 out of 94 controls have been met. One outstanding control concerns exit plans: ONVZ has opted for an overarching exit strategy with management approval, rather than individual plans for every single supplier.
Compliance is not the same as resilience
The greatest challenge lies not just in implementation, but in the mindset that follows. Sandor Beckmann of BNG Bank put it sharply: “DORA is, first and foremost, a license to operate. The fear of regulatory oversight and board liability is the dominant driver.” This creates a side effect: a focus on “ticking the box” rather than the underlying intent of the regulation.
John de Voogd of Klaverblad recognises this trend: “We are so focused on providing evidence that all our energy goes there. Far less energy goes into the actual controls, which might even suffer as a result. Is anyone still stopping to ask why we are doing this?”
Internally, this pattern is often reinforced. Michiel van Dijk of VGZ notes that everyone from the first to the third line of defence wants to have a say in newly introduced processes. “They are sometimes even stricter than the external regulators. It doesn’t exactly make the organisation more agile. Everyone wants to add their own layer of requirements.”
The risk is what participants described as a false sense of security. Rundervoort illustrated this with the ransomware attack on Maastricht University, where all data was held hostage, leaving the organisation paralysed. “After the hack, the CIO said on TV that everything had been ‘reported as green.’ That’s all well and good, but it’s useless in practice. I see the same in audits: they only check if something exists, not why it’s there or if it actually works.”
The chain extends beyond your own IT landscape
Digital resilience doesn’t stop at the office door. Insurers must manage their critical partners, but this responsibility weighs heavily on the rest of the chain, particularly smaller players.
Take StichtingVbV, a joint initiative by Dutch non-life insurers that helps recover missing and stolen vehicles. The foundation itself does not fall under DORA, but it is a key partner to insurers that do. Project Leader Roelof Muis voices his concern: “Our fear is: how will insurers enforce their requirements on suppliers and third parties? If every partner starts imposing their own unique set of demands on us, it becomes unmanageable.”
This is a significant hurdle for a small organisation without a dedicated compliance department. The challenges are already evident with the rollout of ISO 27001. “We are still in the phase of embedding basic behaviours, like remembering to lock your computer when you go to the toilet. For a large corporation, that’s second nature; for us, it’s still a transition.”
Additionally, the organisation currently relies on numerous Excel spreadsheets, where a single change must be updated in eight different places. Muis is calling for standardisation: “We want to move away from this ‘Excel hell.’ We need a single software solution that acts as a ‘golden source’ of information.”
Everybody wants to collaborate, but trust proves to be difficult
The challenges of DORA are universal. Almost all insurers are wrestling with the same questions: How do you label critical functions? How do you structure supplier management? How do you ensure contractual safeguards? This suggests a collective approach would be logical. While the Dutch Association of Insurers provides a standard DORA addendum, and experiences are shared via CIO platforms, each insurer still has to tailor these documents to their specific organisation. Furthermore, every insurer independently requests information from the same pool of suppliers.
Previous attempts at centralisation have struggled. In 2024, Rundervoort initiated a shared register to divide the workload. The initial enthusiasm was high. A second session led to concrete plans: adapting the standard addendum for universal use and creating a joint supplier register with a generic questionnaire. Suppliers would only have to fill it in once for all participating insurers.
“I updated the addendum, created the questionnaire, and sent it to everyone,” says Rundervoort. “The result? Stone-cold silence.” The initiative fizzled out, and everyone went back to reinventing the wheel. This wasn’t due to a lack of will, but a structural lack of trust, fuelled by personal liability at the board level. As Rundervoort summarises: “The crux is trust. If another insurer builds something for us collectively, but I am the one held accountable for it, I’m still going to want to check it myself.”
What does work: starting small with a concrete goal
The consensus at the table was that it is better to start small. Two parties tackling a specific project achieve results faster than a broad coalition trying to reach a consensus on high-level principles. In large groups, you often only agree on the basics, after which the details get bogged down in internal stakeholder management. According to Rundervoort, two ingredients are essential: a concrete use case and one party taking the lead. “In large groups, thirty people want to include their own ‘pet projects.’ It becomes much more bloated than it needs to be.” ONVZ’s approach proves that a focused, small-scale method works. Furthermore, a “quick win” is easier to report internally and builds an appetite for more.
This lesson points to a broader truth: digital resilience is an ongoing process. It requires operational grip, knowing what is happening in the chain, who is responsible for what, and what the impact is if a link breaks. Marcel Schipper of MeasureWorks highlights this: “DORA demands operational control: knowing what’s happening and knowing what to do when things go wrong. That doesn’t end with your own IT landscape; it includes the dependencies outside of it.”
MeasureWorks addresses this through observability: monitoring every link in the IT chain, technically, organisationally, and operationally. Who responds to an alert? What is the downtime impact? Does everyone know their role during an incident? “Only with this insight can you react quickly and limit disruption.” This level of insight will only become more critical with the upcoming AI Act, which places transparency and system controllability at its core.
Looking ahead post-DORA: operational control as destination
The roundtable made it clear that compliance is merely the starting point. The real value lies in turning regulations into actionable capability. Organisations that invest now in truly understanding their digital supply chain, not just documenting it, are building a foundation that will withstand future regulations. As Schipper puts it: “By gaining visibility into your supply chain and monitoring it continuously, you aren’t just compliant; you prevent yourself from being caught off guard.”
Want to discuss DORA?
Do you want DORA to contribute to your organisation’s continuity? Or do you have questions about achieving full digital resilience? Feel free to contact our team for a chat.
