On 19 March 2026, CIOs and IT leaders from across the sector gathered for a roundtable<\/a> hosted by MeasureWorks and DEI. The conversation was refreshingly candid: while a vast amount of energy is being poured into ticking boxes, are organisations actually becoming more resilient?<\/strong><\/p>\n\n In this blog, we explore how insurers are experiencing DORA on the ground and what is required to move beyond mere compliance toward genuine digital resilience.<\/strong><\/p>\n\n “By gaining visibility into your supply chain and monitoring it continuously, you aren\u2019t just compliant; more importantly, you ensure you aren’t caught off guard.” \u2013 Marcel Schipper, Sales Director at MeasureWorks<\/p>\n<\/blockquote>\n\n The Digital Operational Resilience Act is an EU regulation designed to strengthen the digital resilience of the financial sector. It mandates the reporting of IT incidents, regular ethical hacking tests, and strict requirements for IT contracts with third-party providers.<\/p>\n\n Crucially, the scope extends far beyond the financial organisation itself. Insurers must maintain a firm grip on their critical supply chain partners; after all, a disruption at an IT provider can be just as catastrophic as an internal system failure. DORA has been officially in effect since January 2025.<\/p>\n\n DORA requires more than just a list of critical suppliers. Where organisations previously categorised outsourcing partners as \u2018critical\u2019 or \u2018important,\u2019 the regulation now mandates the identification of critical functions.<\/p>\n\n Health insurer ONVZ took a practical approach using their core process model. “We identified all our functions and labelled a specific subset as critical,” explains Supplier Manager Jan-Dirk Rundervoort. DORA also introduced new requirements for the selection, contracting, and performance of IT service providers. ONVZ addressed this via an addendum to existing contracts, updated risk analyses, and a refreshed control framework.
\n
\nFurthermore, quarterly reports are now submitted to the Board of Directors, a step that wasn’t previously standard practice. “The Board never used to involve itself in procurement. We really had to drag them to the table,” says Rundervoort. “But we\u2019ve succeeded in doing that now.”<\/p>\n\n The results are impressive. With a lean team, close coordination with the risk department, and an external partner providing a fresh perspective, 92 out of 94 controls have been met. One outstanding control concerns exit plans: ONVZ has opted for an overarching exit strategy with management approval, rather than individual plans for every single supplier.<\/p>\n\n The greatest challenge lies not just in implementation, but in the mindset that follows. Sandor Beckmann of BNG Bank put it sharply: “DORA is, first and foremost, a license to operate. The fear of regulatory oversight and board liability is the dominant driver.” This creates a side effect: a focus on “ticking the box” rather than the underlying intent of the regulation.<\/p>\n\n John de Voogd of Klaverblad recognises this trend: “We are so focused on providing evidence that all our energy goes there. Far less energy goes into the actual controls, which might even suffer as a result. Is anyone still stopping to ask why we are doing this?”<\/p>\n\n Internally, this pattern is often reinforced. Michiel van Dijk of VGZ notes that everyone from the first to the third line of defence wants to have a say in newly introduced processes. “They are sometimes even stricter than the external regulators. It doesn’t exactly make the organisation more agile. Everyone wants to add their own layer of requirements.”<\/p>\n\n The risk is what participants described as a false sense of security. Rundervoort illustrated this with the ransomware attack on Maastricht University, where all data was held hostage, leaving the organisation paralysed. “After the hack, the CIO said on TV that everything had been ‘reported as green.’ That\u2019s all well and good, but it\u2019s useless in practice. I see the same in audits: they only check if something exists, not why it\u2019s there or if it actually works.”<\/p>\n\n Digital resilience doesn’t stop at the office door. Insurers must manage their critical partners, but this responsibility weighs heavily on the rest of the chain, particularly smaller players.<\/p>\n\n Take StichtingVbV, a joint initiative by Dutch non-life insurers that helps recover missing and stolen vehicles. The foundation itself does not fall under DORA, but it is a key partner to insurers that do. Project Leader Roelof Muis voices his concern: “Our fear is: how will insurers enforce their requirements on suppliers and third parties? If every partner starts imposing their own unique set of demands on us, it becomes unmanageable.”<\/p>\n\n This is a significant hurdle for a small organisation without a dedicated compliance department. The challenges are already evident with the rollout of ISO 27001. “We are still in the phase of embedding basic behaviours, like remembering to lock your computer when you go to the toilet. For a large corporation, that\u2019s second nature; for us, it\u2019s still a transition.”<\/p>\n\n Additionally, the organisation currently relies on numerous Excel spreadsheets, where a single change must be updated in eight different places. Muis is calling for standardisation: “We want to move away from this ‘Excel hell.’ We need a single software solution that acts as a ‘golden source’ of information.”<\/p>\n\n The challenges of DORA are universal. Almost all insurers are wrestling with the same questions: How do you label critical functions? How do you structure supplier management? How do you ensure contractual safeguards?
\n
\nThis suggests a collective approach would be logical. While the Dutch Association of Insurers provides a standard DORA addendum, and experiences are shared via CIO platforms, each insurer still has to tailor these documents to their specific organisation. Furthermore, every insurer independently requests information from the same pool of suppliers.<\/p>\n\n Previous attempts at centralisation have struggled. In 2024, Rundervoort initiated a shared register to divide the workload. The initial enthusiasm was high. A second session led to concrete plans: adapting the standard addendum for universal use and creating a joint supplier register with a generic questionnaire. Suppliers would only have to fill it in once for all participating insurers.<\/p>\n\n “I updated the addendum, created the questionnaire, and sent it to everyone,” says Rundervoort. “The result? Stone-cold silence.” The initiative fizzled out, and everyone went back to reinventing the wheel. This wasn’t due to a lack of will, but a structural lack of trust, fuelled by personal liability at the board level. As Rundervoort summarises: “The crux is trust. If another insurer builds something for us collectively, but I am the one held accountable for it, I\u2019m still going to want to check it myself.”<\/p>\n\n The consensus at the table was that it is better to start small. Two parties tackling a specific project achieve results faster than a broad coalition trying to reach a consensus on high-level principles. In large groups, you often only agree on the basics, after which the details get bogged down in internal stakeholder management.
\n
\nAccording to Rundervoort, two ingredients are essential: a concrete use case and one party taking the lead. “In large groups, thirty people want to include their own ‘pet projects.’ It becomes much more bloated than it needs to be.” ONVZ\u2019s approach proves that a focused, small-scale method works. Furthermore, a “quick win” is easier to report internally and builds an appetite for more.<\/p>\n\n This lesson points to a broader truth: digital resilience is an ongoing process. It requires operational grip, knowing what is happening in the chain, who is responsible for what, and what the impact is if a link breaks.
\n
\nMarcel Schipper of MeasureWorks highlights this: “DORA demands operational control: knowing what\u2019s happening and knowing what to do when things go wrong. That doesn’t end with your own IT landscape; it includes the dependencies outside of it.”<\/p>\n\n\n
![\"\"](\"https:\/\/measureworks.nl\/wp-content\/uploads\/2026\/04\/measureworkstijdensrondetafel-1024x683.jpg\")
<\/figure>\n\nWhat is DORA?<\/h2>\n\n
The Impact of DORA<\/h2>\n\n
![\"\"](\"https:\/\/measureworks.nl\/wp-content\/uploads\/2026\/04\/DORADEIrondetafel-1024x683.jpg\")
<\/figure>\n\nCompliance is not the same as resilience<\/h2>\n\n
The chain extends beyond your own IT landscape<\/h2>\n\n
Everybody wants to collaborate, but trust proves to be difficult<\/h2>\n\n
What does work: starting small with a concrete goal<\/h2>\n\n
![\"\"](\"https:\/\/measureworks.nl\/wp-content\/uploads\/2026\/04\/dorarondetafelmw-1024x683.jpg\")
<\/figure>\n\n