AdInsure Embeds DORA Compliance for Improved Resilience and Competitive Benefits

AdInsure Embeds DORA Compliance for Improved Resilience and Competitive Benefits

It has been a tough couple of years for resilience. Since 2020, the European Union has seen the COVID-19 pandemic, supply shortages, military conflicts, and a surge in the number of cyber threats and high-profile cyber incidents. All have sent a clear message that climate, defense, energy, and cyber resilience need to be improved.

The need for digital resilience is undeniable as the global economy and particularly financial services are becoming increasingly digital. In a recent financial sector stability report, the IMF noted the increased risk of extreme loss from major ICT-related incidents that could “cause funding problems and even jeopardize solvency”. According to their data, extreme losses have quadrupled since 2107 to USD 2.5 billion. And this isn’t even counting indirect losses such as damage to reputation.

IMF warns that while incidents have not been systemic thus far, major attacks on financial institutions could spill over into other industries and undermine confidence. The current trends are also not encouraging. There have been signs that even though larger companies are improving resilience, it is declining among SMEs.

All of this was considered by the competent authorities as they looked to reduce systemic risk.

Table of content

DORA: A strategic approach to building European resilience

The Digital Operational Resilience Act or DORA emerged as a continent-wide response to these threats to financial and economic stability and seeks to balance consumer protection with technological development.

DORA is a comprehensive risk management framework designed to strengthen the operational resilience of the entire European financial sector while harmonizing the patchwork of national regulations that are difficult for companies to navigate and comply with.

The overarching goal is to safeguard financial institutions and minimize systemic risk. As such, it is the next step in EU’s efforts to protect sensitive customer data and ensure the continuity of essential financial services. 

Who is required to comply with DORA?

In addition to the financial service industry, DORA’s scope covers ICT third-party service providers that supply solutions, cloud services and other resources, if they are deemed critical. 

The list is long and thorough, essentially including all financial entities, such as banks, insurance companies, credit institutions, investment firms, crypto-asset service providers and credit institutions. DORA outlines several criteria for identifying critical ICT third-party service providers. Some of the most common factors include dependency on services, impact of disruptions, regulatory requirements, the sensitivity of data and importance for business continuity. 

DORA Compliance gudie

At Adacta, we have witnessed the impact of DORA firsthand. Modern core platforms, such as AdInsure, have emerged as primary targets of DORA-related requirements on the one hand and as a key tool for ensuring regulatory compliance in insurance on the other. After all, essential functions of core systems are critical to keeping operations going in the event of a cyber-attack or failure. This is why it is crucial to have compliance embedded directly into software solutions.

What is the scope of DORA?

The scope of DORA requirements is comprehensive, and we can divide them into 4 major categories:

  • ICT risk management and governance: These requirements are used to identify, manage and mitigate ICT risks, which require comprehensive assessments, implementation of cybersecurity measures and backup and disaster recovery plans.
  • Incident reporting: Financial entities need to monitor, manage, and report ICT-related incidents and notify stakeholders and financial regulators.
  • Digital operational resilience testing: ICT systems must pass rigorous tests that include regular vulnerability and threat-led penetration testing.
  • ICT third-party risk management: DORA compliance requires careful management of risks associated with third parties. This means contractual arrangements covering resilience and security and mapping dependencies.

While most financial services organizations are already subject to some form of cyber risk and resilience requirements, DORA expands the scope and harmonizes rules among EU countries with the goal of improving the security and stability of the financial system.

Embedding DORA compliance into software

Compliance with regulations for the insurance industry is key for building customer trust and minimizing operational risks. Adacta responded by embedding compliance across all dimensions of its AdInsure core system and operations.

Compliance begins even before the first line of code is written. Adacta fosters a compliance culture and has implemented standards, such as ISO 9001:2015 and ISO\IEC 27001:2022, to support secure development practices prioritizing resilience.

The goal is to have compliance considerations embedded into every aspect of software development – from the earliest stages of designing its architecture, testing and incident reporting to making sure that any third-party libraries or components are not vulnerable and do not pose security risks.  

To ensure the highest level of AdInsure security, Adacta relies on the OWASP ASVS (Application Security Verification Standard) framework, an open and community-led standard that defines requirements for truly secure and resilient software solutions.

Let’s look at what is required to ensure compliance.

Secure and compliant software architecture. Compliance begins with software design and AdInsure architecture prioritizes security, resilience, and compliance. It boasts strong encryption and secure access control based on industry-standard identity technology that supports multiple authentication methods. To meet incident reporting requirements of DORA, AdInsure includes comprehensive logging, continuous monitoring, metrics, and event tracing to enrich data and streamline the entire process.

Integrating compliance into software development. To make sure AdInsure remains fully compliant, compliance is deeply integrated into the software development lifecycle (SDLC). Agile engineering practices ensure compliance updates are implemented quickly and all versions and updates are tested thoroughly to identify and address any compliance concerns.

Cultivating a culture of compliance and resilience. Compliance is not just a technology issue. Instead, it is an issue of company culture. Adacta embeds compliance across all levels of the organization by implementing ISO/IEC 27001 standard recommendations, a comprehensive internal governance framework, and training for all employees.

Ensuring third-party compliance. DORA recognizes that third parties increasingly play a significant role in operational resilience and requires them to adhere to the same standards. Adacta regularly analyzes third-party libraries for vulnerabilities and performs due diligence reviews to assess their DORA compliance.

By applying standards-based best practices, Adacta has developed the operational resilience capabilities in AdInsure that protect business operations of its clients against existing and potential risks.

A community-driven framework for secure development


The OWASP Application Security Verification Standard (ASVS) is a framework developed by the Open Worldwide Application Security Project (OWASP) that provides a comprehensive set of security requirements for verifying the security of web applications. There are three levels to the certification with Level 3 including the most stringent requirements for critical applications (e.g., military, banking). This level requires a thorough analysis of coding practices and system architecture, offering the highest assurance of security.

The OWASP Application Security Verification Standard (ASVS) covers a comprehensive range of security requirements designed to verify the security of web applications. Key areas include authentication, which focuses on secure login processes and multi-factor authentication; session management, addressing session expiration and fixation; and access control, ensuring users can only access authorized resources. It also emphasizes data protection through encryption, input validation to prevent injection attacks, and error handling to avoid revealing sensitive information. Additional areas include configuration management, API security, security testing, and threat modeling.

By implementing the OWASP ASVS Adacta delivers on security in AdInsure by ensuring that security considerations are integrated throughout the application development process. By following the ASVS guidelines, Adacta reduced the risk of vulnerabilities, enhanced its security practices, and improved the resilience of AdInsure.

Strategic Benefits of Embedded DORA Compliance

Compliance is not just about checking items off a laundry list of regulatory requirements. It’s also about more than just reducing legal risk or even about improving overall resilience. It is about leveraging compliance to gain a competitive edge and improve resilience in the face of an increasingly challenging security landscape. Having DORA compliance embedded directly into the core insurance system brings several benefits to insurers:

Reduced complexity and improved cost efficiency: Once the required controls and protocols are integrated directly into software workflows, compliance becomes a much simpler and more cost-effective process.

Competitive edge: Compliance has evolved into a value proposition that signals to customers that an insurer is committed to reliability, security and operational excellence that protects customers, their data and their assets.

Operational resilience: Core systems with embedded compliance provide effective tools for identifying, managing and mitigating risks as well as rapidly responding to any incidents that do occur.

Future-proof software: The world of regulations is in constant flux and having software that has compliance embedded makes it much easier to update when compliance requirements change. Insurers can also focus on innovation more confidently if they know they can rapidly ensure compliance of new products and technologies.

Implementing and Managing DORA compliance in a core system  

Adacta wants to make sure AdInsure, its flagship core insurance system solution, is robust and resilient enough to withstand everything the shifting threat environment throws at it. Adacta has established practices and technologies that support its efforts to continuously innovate while ensuring compliance.

DevOps practices: DORA requirements change constantly and DevOps practices allow Adacta to incrementally update software with minimal disruption to operations. Updates are deployed automatically and rapidly so insurers are always compliant.

ICT third-party risk management: As noted above, Adacta reviews third-party code to ensure compliance. This diligence is extended to ICT third-party providers and service partners, such as cloud service providers. Adacta has established relationships to plan and perform resilience testing to ensure third-party components do not affect AdInsure operations.

Regular audits and improvements: Regular audits provide feedback that allows Adacta to continuously refine development, deployment, risk management and operational practices. This feedback loop ensures long-term improvements in AdInsure software and enhanced resilience.

Leveraging the cloud: Cloud platforms are used to deliver extra performance during peak demand periods for scalability as well as disaster recovery and backup capabilities to improve resilience and reduce costs.

Looking to the future 

Compliance is a moving target as a result of the constantly changing regulatory landscape. To mitigate related risks companies should be proactive and address compliance issues head on and in advance. After all, average non-compliance costs are estimated to be in the millions. Another complicating factor is that compliance issues are extremely difficult to fix after the fact. 

Adacta designs its systems to be future-proof both in terms of technology as well as compliance. This ensures that its clients are able to stay ahead of emerging threats and evolve their core systems with their needs. 

Modular and Extensible Architectures: AdInsure functionalities can be extended and modified when new business models emerge.

AI compliance features: AI and machine learning features in AdInsure improve operational efficiency and are used for predictive analytics, risk assessment, and compliance monitoring.

Continuous learning and development: Compliance never stands still and Adacta fosters a culture of continuous learning and development within IT teams, encouraging them to keep up with the latest software development practices, compliance strategies, and cybersecurity technologies.

Operations in modern insurance companies is fundamentally intertwined with core systems. Put simply, if the core system goes down so do the company’s operations. This makes operational resilience much more than simply another buzzword. 

Operational resilience is a comprehensive concept that encompasses every aspect of the digital ecosystem. CIOs need to take it seriously and proactively choose the right software as well as adopt the compliance-focused culture of continuous learning and adaptation.

The path to DORA compliance is not a simple one. However, this regulatory obligation can lead to trust and loyalty among customers and improved competitive position that is less vulnerable to progressively advanced threats. The journey is ongoing, and the rewards are significant for those who approach it with foresight, agility, and a commitment to excellence.

Dora complaince sontact us

Check Related resources

Need more information?

Contact us