From risk to resilience: How GDPR and DORA can make your insurance company cyber secure

Those who invest now in resilience and secure processes will gain more than just compliance – they’ll secure real added value and long-term competitiveness. Why? Find out here.

From risk to resilience: How GDPR and DORA can make your insurance company cyber secure

A single wrong click in your inbox. An unsecured file transfer. And suddenly, your entire business operations come to a standstill. What sounds like a worst-case scenario has already become reality for many companies – cyberattacks on insurance providers are on the rise. According to the BSI’s 2024 report on the state of IT security in Germany, the number of reported IT security incidents in the financial and insurance sectors doubled compared to the previous year. The industry is now among the most frequently targeted.

It’s hardly surprising: insurers handle particularly sensitive data every day – from health and payment information to claims records. At the same time, regulatory pressure is mounting. With the EU’s Digital Operational Resilience Act (DORA) and the already applicable General Data Protection Regulation (GDPR), insurance companies must both protect their IT infrastructure and demonstrate compliance. The goal: move away from crisis mode and towards genuine resilience.

In this article, we explain what DORA entails, where insurers often struggle in practice – and how regulatory obligations can become a true competitive advantage.

DORA & GDPR: What insurers are expected to deliver

The Digital Operational Resilience Act obliges all financial sector companies – including insurers – to make their digital systems robust against cyber threats.

DORA becomes binding from January 2025 and sets out requirements across five core areas:

  • ICT risk management: Proactive measures to detect and mitigate IT risks at an early stage.

  • Incident reporting: Cyber incidents must be reported to the relevant authorities within 24 hours.

  • Third-party management: External IT providers must be actively monitored and bound by contract.

  • Resilience testing: Insurers must conduct regular penetration tests and emergency response exercises.

  • Governance and role allocation: Clear responsibilities for cybersecurity and crisis response.

Graphic: DORA requirements for insurers; five core areas: ICT risks, incident reporting, third-party risk management, resilience testing, governance and roles

The scope is broad: DORA applies not only to banks but explicitly includes insurance companies and their external IT service providers. Interfaces, cloud platforms and the digital exchange of data in insurance operations are therefore especially in focus.

In parallel, the GDPR requires strict safeguards for personal data – including data minimisation, encrypted transmission channels, and clearly documented deletion periods. GDPR is particularly relevant for insurers, as they process highly sensitive personal data on a daily basis – including health, financial, and claims-related information.

DORA and insurers: Where implementation often falls short

In theory, the requirements are clear – but practical implementation often isn’t. Since DORA came into force in the financial sector, it has become evident that many insurers underestimated the requirements – or reacted too late.

Common stumbling blocks include:

  • Unclear or missing reporting procedures: Incidents must be reported within 24 hours – a timeframe that is difficult to meet without automated detection and reporting systems.

  • Underestimated third-party IT risks: Many insurers still rely on their service providers’ own diligence – without conducting regular audits or defining security standards in contracts. However, legal responsibility remains with the insurer.

  • Untested emergency plans: Resilience tests are mandatory, but often not realistically simulated. Without offsite backups of emergency procedures, communication may break down in a real crisis.

  • Complexity due to duplicate structures: DORA is not yet harmonised with existing frameworks such as ISO 27001, VAIT or NIS2 in many companies – leading to unnecessary redundancies.

  • Outdated transfer methods: Unencrypted emails, open cloud storage or manual data transfers are still widespread – yet they no longer meet modern security standards.

Additionally, there is often a lack of employee awareness: even the best systems are ineffective without proper training and clearly defined responsibilities. Compliance starts with day-to-day data handling.

Graphic: 6 stumbling blocks in DORA implementation for insurance providers: unclear incident reporting, third-party IT risks, untested emergency response strategies, overlapping frameworks, outdated data transfer, lack of awareness

Compliance in insurance: From burden to business advantage

Many insurers still view regulations such as DORA and GDPR as a necessary evil – a source of extra bureaucracy, effort, and cost. Smaller providers in particular often wonder: how can we meet all the requirements without paralysing day-to-day operations?

But these regulations offer much more if approached correctly: they provide an opportunity to minimise IT risks, streamline processes – and improve market positioning in the long term.

Because: customers, business partners and regulators expect security, transparency, and reliability. Those who can demonstrate a GDPR- and DORA-compliant infrastructure build trust in their brand.

Compliance also boosts efficiency: automated incident reporting, structured data exchange and audit-proof documentation save time and reduce errors. In times of limited resources, that’s a real advantage.

When implemented correctly, compliance with DORA and GDPR delivers:

  • More stable operations – through structured workflows, clearly defined reporting channels and systematic security reviews.

  • Greater data security – through targeted risk assessments, access controls, and automated deletion processes.

  • Less workload – through automation and platform-based solutions that ease pressure on internal teams.

  • Improved customer satisfaction – those who protect sensitive data and act transparently earn trust and strengthen customer loyalty.

  • Stronger market position – in tenders and partnerships, compliance is increasingly seen as a key asset.

In short: compliance is evolving from a cost centre into a hallmark of quality. Insurers already implementing frameworks like VAIT or ISO 27001 can build synergies instead of duplicating structures.

The key: Secure, automated data exchange

One particularly critical area is data exchange – whether with clients, partners or authorities. If you’re still relying on unsecured emails, FTP servers or non-GDPR-compliant cloud solutions, you’re walking a thin line.

Insurers must ensure that sensitive information – such as claims files, health data or payment details – is transferred in an end-to-end encrypted, auditable, and compliant manner.

That’s why secure data exchange is central to resilience and compliance in insurance. Modern platform solutions like FTAPI deliver just that – with end-to-end encryption, protected data rooms and audit-proof documentation. Developed and hosted in Germany, certified to ISO 27001 and BSI C5 standards. Plus, it can be easily integrated into existing workflows – no major IT projects required.

Secure data exchange starts here.

Test FTAPI and protect sensitive insurance data with encrypted emails and secure virtual data rooms.

Request a demo

Conclusion: Take action now – reap long-term rewards

In summary: cyber resilience is no longer optional – it’s mandatory. Insurers must protect their IT infrastructure and actively safeguard their processes against threats and regulatory risks. DORA and GDPR provide the framework – but it’s up to companies to act.

Those who invest now in resilience and secure processes will gain more than just compliance – they’ll secure real added value and long-term competitiveness.