Insurers today face a dual exposure to cyber risk as both targets of cyber threats and providers of cyber coverage. With the rise of digitalisation, the insurance sector must navigate an increasingly complex landscape of diverse cyber risks, including malicious attacks and non-malicious incidents that can result in significant financial losses. Regulatory frameworks, such as the Digital Operational Resilience Act (DORA), add another layer of compliance challenges on the one hand, while also offering a structured approach to managing cyber risks on the other. In this paper, we show that DORA can serve as a valuable guide in the field of cyber insurance, extending beyond the financial sector. We first describe the cyber insurance market, then discuss the following topics with regard to using DORA as a risk mitigation instrument:

• Information and communication technology (ICT)
• Incident management
• Testing of digital operational resilience, including threat-led penetration testing (TLPT)
• Management of ICT third-party provider risk and monitoring framework for critical third-party providers
• Information sharing on cyber risks and critical incidents