Regulatory frameworks

We operate a comprehensive compliance program that encompasses multiple regulatory frameworks, industry standards, and best practices relevant to the insurance sector in the EU. Our approach ensures compliance with data protection (GDPR), information security (ISO 27001), operational resilience (DORA), and AI regulations (EU AI Act).

Key Regulatory Frameworks

GDPR (General Data Protection Regulation)

Status: ✅ Fully compliant since 2018

Our Implementation

Governance

• Data Protection Officer (DPO) appointed

• Register of Processing Activities (ROPA) complete

• Data Protection Impact Assessments (DPIAs) for high-risk processing

• Privacy by Design & Default in all systems

Legal basis

• Contractual necessity (primary)

• Legitimate interest (security, fraud prevention)

• Legal obligation (where required)

• Consent (marketing, optional features)

Rights of Data Subjects

For the rights of data subjects, see Privacy & Data Processing.

Security

See Data security for technical measures.

Data Location

• All data within the EU (Azure West Europe)

• Backup within the EU (Azure North Europe)

• No transfers outside the EU/EEA

Supervisory authority: Dutch Data Protection Authority (NL)
Contact FG: onesurance

DORA (Digital Operational Resilience Act)

Status: ✅ Compliant (effective January 2025)

As an ICT service provider for insurers, we are subject to DORA regulations.

Five Pillars:

1. ICT Risicobeheer
Risk management framework, asset management, patch management (<48h critical)

2. Incident Management & Reporting
4 severity levels, 24/7 monitoring, <15 min response P1, notification within 24h

3. Resilience Testing
Annual testing: vulnerability assessments, penetration testing, DR simulations, TLPT (2026)

4. Third-Party Risk Management
, vendor due diligence, SLAs, ongoing monitoring, exit strategies

5. Information Sharing
. Threat intelligence, sector participation, vulnerability sharing.

For more information, see also: Infrastructure, Incident Response, BC/DR, Suppliers

ISO 27001:2022 (Information security)

Status: 🔄 Certification Q1 2026

Information Security Management System (ISMS)

Scope: All 114 controls implemented

Core components

• Leadership commitment and security policy

• Risk assessment ISO 27005 methodology

• Security awareness training for all employees

• Continuous security monitoring

• Quarterly ISMS audits

• Management reviews

14 Control Categories:

• ✅ Organizational controls (37)

• ✅ People controls (8)

• ✅ Physical controls (14)

• ✅ Technological controls (34)

• ✅ All 14 categories complete

Certification Timeline:

• Q4 2024: Internal audit and gap analysis

• Q1 2025: External pre-assessment

• Q1 2026: Certification audit

EU AI Act

Status: ✅ Monitoring and preparation (implementation 2026)

Our AI Systems: Limited Risk / Minimal Risk

Compliance Measures

• Risk assessment of all systems

• Transparency: Clear AI disclosure

• Human oversight: Human-in-the-loop design

• Quality management: AI/ML model lifecycle

• Bias monitoring and performance testing

• Post-deployment monitoring

• AI-specific incident procedures

Timeline

• December 2024: Risk classification complete

• 2025: Technical documentation

• February 2025: Transparency compliance

• August 2026: Full compliance with limited risk requirements

Security Frameworks & Best Practices

• NIST Cybersecurity Framework - Status: ✅ Implemented (Maturity Tier 3)

• CIS Controls v8 - Status: ✅ 18 Critical Security Controls implemented

• OWASP Top 10 - Status: ✅ Mitigations implemented

Contact

Compliance questions
onesurance

Compliance Status Overview