Bright_colored_LED_wall_PPT

14 November 2025

Insurance sector and cybersecurity: IVASS publishes initial instructions for implementing DORA

Written by:Andrea Pantaleo

Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), came into force on 17 January 2025, defining a new regulatory framework for digital operational resilience in the European cyber-financial sector. Insurance and reinsurance companies, and relevant intermediaries, are also subject to the new obligations.

To guide the Italian insurance market in implementing the new provisions, the Insurance Supervisory Authority (IVASS) published two Letters to the Market within a few weeks of each other.

  • The first regulates the reporting of serious cyber incidents and, on a voluntary basis, cyber threats.
  • The second introduces the periodic transmission of the register of information relating to ICT contracts.

These are two distinct but complementary requirements that usher in a new era of cyber surveillance for the insurance sector.

IVASS's regulatory intervention on ICT incidents and contracts with third-party suppliers marks a first concrete step towards the operational implementation of DORA in the insurance sector. The new reporting requirements, which are highly structured and coordinated at European level, require a profound organisational and procedural review, especially for more complex groups. Data quality, timely communication, and robust internal accountability are the cornerstones of sustainable compliance and effective operational resilience over time.

Reporting cyber incidents and cyber threats

With the letter to the market No. 4856/25 of 14 February 2025, IVASS provided the first operational guidelines for implementing Article 19 of DORA, concerning the reporting of serious cyber incidents and cyber threats by insurance and reinsurance companies and intermediaries relevant for DORA purposes.

The document incorporates the contents of the Delegated Regulation (EU) 2024/1772, which defines the thresholds and conditions for classifying an incident as “serious” and regulates the timing and content of reporting.

An incident is considered serious if it involves critical services referred to in Article 6 and meets at least one of the following conditions:

  • it involves unauthorised access to computer systems, pursuant to Article 9(5)(b); or
  • it exceeds at least two of the thresholds set out in paragraphs 1 to 6 of Article 9.

The notification process consists of three distinct phases:

  • Initial notification within 24 hours of identifying the incident.
  • Interim report within 72 hours of the initial notification (with any subsequent updates).
  • Final report within one month of sending the last interim update.

Communications must be sent via certified email to the addresses indicated by IVASS:

  • vigilanza.prudenziale@pec.ivass.it for insurance and reinsurance companies.
  • vigilanzacondottamercato@pec.ivass.it for insurance and reinsurance intermediaries and relevant ancillary intermediaries.

Attached to the Letter, IVASS has provided two templates: one for the mandatory reporting of serious incidents and one for the voluntary reporting of cyber threats deemed relevant pursuant to Article 19, paragraph 2 of DORA.

According to the Authority, these reports temporarily replace those provided for in Article 16 of IVASS Regulation No. 38/2018, pending the relevant update.

ICT contract register: Annual reporting obligation

With Letter to the Market No. 21517/25 of 7 March 2025, IVASS implemented the obligations provided for in Article 28 of DORA, introducing the transmission of the register of information on contractual agreements entered into with third-party ICT service providers for supervised companies. The obligation applies to all insurance and reinsurance companies with registered offices in Italy, representatives of non-EEA companies operating in Italy, and insurance and reinsurance intermediaries relevant for DORA purposes, in accordance with the size criteria set out in Article 2 of the Regulation.

The register must be maintained and updated at entity level, on an individual, sub-consolidated, and consolidated basis. The minimum content of the register – to be communicated to IVASS at least annually – includes:

  • the number of ICT contractual agreements entered into during the reference period;
  • the categories of third-party providers involved;
  • the types of contracts adopted; and
  • the ICT functions and services acquired.

The structure, record formats and compilation criteria follow the specifications defined by the European Banking Authority and by the Decision of the European Supervisory Authorities of 8 November 2024. For financial groups subject to consolidated supervision in the EU, the report must be submitted at the parent company level. In the absence of a parent company established in the EU, the obligation applies at the individual level.

The transmission must be made through the Infostat platform, using the new “DORA – Information Register” survey, available to users authorised to manage IVASS reports. The file to be transmitted must be compressed in .zip format and contain:

  • 15 tables in .csv format relating to the contents of the register;
  • technical support files (reportPackage.json, FilingIndicators.csv, parameters.csv, report.json) according to the taxonomy published by the EBA.

The naming of the zip archive and the structure of the internal directories has to strictly comply with the standards defined in the IVASS and EBA operational documents. A “diagnostic” function is provided for the preliminary verification of the quality and formal consistency of the data before final submission.

Print