Search the documentation...

Compliance

Regulatory frameworks

Regulatory frameworks

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Key security principles at Onesurance

End-to-end encryption for all data in transit and at rest

Multi-factor authentication required for all users

24/7 security monitoring with automated incident detection

Data residency within the EU (Azure West Europe)

ISO 27001 certification in preparation (target Q1 2026)

End-to-end encryption for all data in transit and at rest

Certifications and Standards

Onesurance to the highest security and compliance standards in the financial sector. Below you will find an overview of our current certifications and roadmap.

Certification

Description

Status

TRUST CENTER - REGULATORY FRAMEWORKS

Onesurance & Security Frameworks
Last updated: December 2024

Overview

At Onesurance , we Onesurance implemented a comprehensive compliance program that encompasses multiple regulatory frameworks, industry standards, and best practices relevant to the insurance sector in the European Union. Our multi-layered approach ensures that we comply with the stringent requirements of data protection legislation (GDPR), information security standards (ISO 27001), operational resilience (DORA), and emerging AI regulations (EU AI Act), while following recognized security frameworks and best practices.

Key Regulatory Frameworks

GDPR (General Data Protection Regulation)

Status: ✅ Fully compliant since 2018

Scope:
The GDPR is the primary privacy legislation in the EU and applies to all processing of personal data of EU citizens.

Our Implementation:

Governance & Accountability
• Data Protection Officer (DPO): Appointed and active
• Contact DPO: onesurance
• Register of Processing Activities (ROPA): Fully maintained
• Data Protection Impact Assessments (DPIAs): For high-risk processing
• Privacy by Design & Default: Built into all systems

Legal basis for processing
• Contractual necessity: Primary legal basis for customer data
• Legitimate interest: For security, fraud prevention, improvements
• Legal obligation: Where required by law (tax, etc.)
• Consent: For marketing and optional features

Rights of Data Subjects
• Access (Art. 15): Response within 1 month
• Rectification (Art. 16): Immediate correction possible
• Erasure (Art. 17): Within 1 month, with exceptions
• Restriction (Art. 18): Technical blocking possible
• Data portability (Art. 20): Structured exports available
• Objection (Art. 21): Balancing test performed
• Automated decision-making (Art. 22): Human-in-the-loop required

Beveiligingsmaatregelen
• Encryptie: AES-256 at rest, TLS 1.3 in transit
• Toegangscontrole: RBAC, MFA, least privilege
• Pseudonymisering: Waar mogelijk toegepast
• Backups: Encrypted, tested, geo-redundant (binnen EU)
• Incident response: 24/7 monitoring, <72h melding bij breach

International Transfers
• Primary: All data within the EU (Azure West Europe)
• Backup: Azure North Europe (within the EU)
• No transfers: Outside the EU/EEA without explicit consent
• Safeguards: EU SCCs if future transfer is necessary

Accountability
• Documentation: Comprehensive, auditable
• Training: Mandatory for all employees
• Audits: Internal audits on a quarterly basis
• Supervisory authority: Dutch Data Protection Authority (NL)

Compliance Evidence:

  • ROPA fully documented

  • DPIAs performed for AI models

  • FG active and available

  • Incident response procedures tested

  • Employee training completion: 100%

See also: Template 04 (Privacy & Data Processing)

DORA (Digital Operational Resilience Act)

Status: ✅ Compliant with applicable requirements (effective January 2025)

Scope:
DORA applies to financial entities (including insurers) and their critical ICT service providers. As a SaaS provider for insurers, we are subject to these regulations.

Five Pillars:

1. ICT Risicobeheer (Art. 6-16)
• Framework: Uitgebreid ICT risk management framework
• Risicobeoordelingen: Jaarlijks en bij significante wijzigingen
• Asset management: Volledige inventarisatie van ICT-activa
• Change management: Controlled change procedures
• Patch management: <48h voor critical, <72h voor high
• Network security: Segmentation, firewalls, monitoring

2. Incident Management & Reporting (Art. 17-23)
• Classification: 4 severity levels (P1-P4)
• Detection: 24/7 monitoring, automated alerts
• Response: <15 min voor P1, defined procedures
• Register: ICT incident log bijgehouden
• Reporting:

  • Significant incidents: Initial notification within 24 hours

  • Major incidents: Immediate notification

  • Regulator: Per DORA requirements
    • Root cause: Analysis for all P1/P2 incidents

3. Resilience Testing (Art. 24-27)
• Frequency: Annual comprehensive resilience testing
• Types:

  • Vulnerability assessments: Weekly automated

  • Penetration testing: Annual external

  • Scenario-based testing: Semi-annual DR tests

  • Red team testing: Annual (planned)
    • Documentation: All test results logged
    • Remediation: Action plans for identified gaps
    • TLPT: Threat-Led Penetration Testing (planned for 2026)

4. Third-Party Risk Management (Art. 28-30)
• Due diligence: All ICT service providers assessed
• Contracts: Service level agreements with availability targets
• Register: Maintained list of ICT third-party providers
• Monitoring: Ongoing vendor performance tracking
• Concentration risk: Assessed (primary: Microsoft Azure)
• Exit strategies: Documented for critical vendors
• Subprocessors: Full transparency (see Template 08)

5. Information Sharing (Art. 45)
• Threat intelligence: Monitoring of industry threats
• Sector participation: Member of insurance sector groups
• Vulnerability sharing: Contributing to collective defense
• Confidentiality: Proper handling of sensitive info

Compliance Evidence:

  • ICT risk register maintained

  • Annual resilience tests completed

  • Incident reporting procedures established

  • Third-party risk assessments current

  • Threat intelligence integration active

See also:

  • Template 05 (Infrastructure)

  • Template 06 (Incident Response)

  • Template 07 (Business Continuity)

ISO 27001:2022 (Information security)

Status: 🔄 Implementation complete, certification Q1 2026

Scope:
ISO 27001 is the international standard for Information Security Management Systems (ISMS). We have implemented all 114 controls.

ISMS Components:

Leadership & Governance
• Management commitment: Executive sponsorship
• Security policy: Comprehensive, annually reviewed
• Roles & responsibilities: Clearly defined
• Resources: Adequate budget and personnel
• Communication: Regular security updates

Planning
• Risk assessment: ISO 27005 methodology
• Risk treatment: All risks addressed (accept/mitigate/transfer/avoid)
• Objectives: SMART security objectives defined
• Metrics: KPIs tracked and reported

Support
• Competence: Training programs, certifications
• Awareness: Security awareness for all employees
• Communication: Internal and external channels
• Documentation: Comprehensive, version controlled
• Operational control: Documented procedures

Operation
• Operational planning: Security integrated in all processes
• Risk assessment: Regular execution
• Risk treatment: Implementation and monitoring
• Performance evaluation: Regular reviews

Performance Evaluation
• Monitoring: Continuous security monitoring
• Internal audits: Quarterly ISMS audits
• Management review: Quarterly meetings
• Metrics: Security KPIs tracked

Improvement
• Nonconformities: Tracked and resolved
• Corrective actions: Root cause analysis
• Continuous improvement: Kaizen approach
• Innovation: Regular evaluation of new technologies

114 Controls Implemented (14 Annex A Categories):

  1. ✅ Organizational controls (37)

  2. ✅ People controls (8)

  3. ✅ Physical controls (14)

  4. ✅ Technological controls (34)

  5. ✅ [All 14 categories completed]

Certification Timeline:

  • Q4 2024: Internal audit and gap analysis

  • Q1 2025: External pre-assessment

  • Q1 2026: Stage 1 and Stage 2 certification audit

  • Q1 2026: ISO 27001:2022 certificate issued

Compliance Evidence:

  • Statement of Applicability (SoA) completed

  • All 114 controls documented

  • Internal audit program active

  • Management reviews quarterly

  • Risk treatment plan current

See also: Template 03 (Data security)

EU AI Act

Status: ✅ Monitoring and preparation (implementation 2026)

Scope:
The EU AI Act regulates AI systems based on risk. Our systems are classified as Limited Risk or Minimal Risk.

Our AI Systems:

Churn Prediction Model
• Risk level: Limited risk
• Purpose: Predicting customer retention
• Transparency: Users informed of AI usage
• Human oversight: Predictions reviewed by underwriters
• Accuracy: Regularly evaluated and improved
• Bias: Monitored for unfair discrimination
• Documentation: Model cards maintained

Customer Lifetime Value (CLV)
• Risk level: Minimal risk
• Purpose: Customer value calculations
• Usage: Strategic planning, non-automated decisions
• Transparency: Clear communication
• Documentation: Methodology documented

Next Best Product (NBP)
• Risk level: Limited risk
• Purpose: Product recommendation engine
• Human oversight: Recommendations reviewed
• Explainability: Reasoning can be explained
• Bias monitoring: Regular fairness assessments
• Opt-out: Users can disable recommendations

Defend Agent (Conversational AI)
• Risk level: Limited risk
• Purpose: Customer service automation
• Human handoff: Always available
• Transparency: Users know they're talking to AI
• Training data: Carefully curated
• Monitoring: Conversations logged and reviewed
• Escalation: Complex cases to humans

Compliance Measures:
• Risk assessment: All systems classified
• Transparency: Clear AI disclosure
• Human oversight: Human-in-the-loop design
• Documentation: Comprehensive AI documentation
• Quality management: AI/ML model lifecycle
• Training data: Data governance procedures
• Testing: Bias and performance testing
• Monitoring: Post-deployment monitoring
• Incident response: AI-specific procedures

Compliance Timeline:
• December 2024: Risk classification completed
• 2025: Technical documentation completed
• February 2025: Compliance with transparency obligations
• August 2026: Full compliance with limited risk requirements

Compliance Evidence:

  • AI system inventory maintained

  • Risk assessments completed

  • Transparency notices implemented

  • Human oversight procedures documented

  • Bias monitoring program active

Security Frameworks & Best Practices

NIST Cybersecurity Framework

Status: ✅ Implemented (Maturity Tier 3)

Five Functions:

1. Identify
• Asset management: Full ICT inventory
• Business environment: Context understood
• Governance: Policies and procedures
• Risk assessment: Regular assessments
• Risk management strategy: Defined approach

2. Protect
• Access control: RBAC, MFA, least privilege
• Awareness & training: Ongoing programs
• Data security: Encryption, DLP, backups
• Info protection: Classification and handling
• Maintenance: Patch management, hardening
• Protective technology: Firewalls, antivirus, IDS/IPS

3. Detect
• Anomalies & events: SIEM monitoring
• Continuous monitoring: 24/7 SOC
• Detection processes: Defined and tested

4. Respond
• Response planning: Incident response plan
• Communications: Stakeholder notification
• Analysis: Root cause, impact assessment
• Mitigation: Containment procedures
• Improvements: Post-incident reviews

5. Recovery
• Recovery planning: Business continuity plan
• Improvements: Lessons learned
• Communications: Stakeholder updates

Maturity: Tier 3 - Repeatable, Adaptable
• Risk-informed
• Integrated into business
• Cyber risk assessed regularly
• Policies and procedures formalized
• Consistent implementation

CIS Controls (v8)

Status: ✅ 18 Critical Security Controls implemented

Implementation Highlights:

CIS Control 1: Inventory of Assets
• Hardware assets: Complete inventory in CMDB
• Software assets: License management, approved list
• Updates: Automated discovery, regular reconciliation

CIS Control 2: Inventory of Software
• Authorized software: Whitelist maintained
• Unauthorized software: Blocked or alerted
• Software updates: Centrally managed

CIS Control 3: Data Protection
• Data inventory: Classified and tracked
• Encryption: AES-256 at rest, TLS 1.3 in transit
• Secure disposal: Cryptographic erasure

CIS Control 4: Secure Configuration
• Hardening: CIS Benchmarks applied
• Configuration management: Automated, version controlled
• Change control: All changes reviewed

CIS Control 5: Account Management
• Unique accounts: No shared credentials
• MFA: Enforced for all users
• Privilege management: Least privilege, PIM

CIS Control 6: Access Control
• Authentication: Strong passwords, MFA
• Authorization: RBAC implemented
• Remote access: VPN, secure channels

CIS Control 7: Continuous Vulnerability Management
• Scanning: Weekly automated scans
• Remediation: <48h critical, <72h high
• Penetration testing: Annual external tests

CIS Control 8: Audit Log Management
• Logging: Comprehensive, centralized
• Retention: 1 year minimum, 7 years for compliance
• Analysis: SIEM correlation rules

CIS Control 9: Email & Web Browser Protection
• Email security: SPF, DKIM, DMARC, anti-phishing
• Web filtering: Malicious sites blocked
• Safe browsing: Policies enforced

CIS Control 10: Malware Defenses
• Antivirus: Endpoint protection deployed
• Signatures: Automatically updated
• Behavior analysis: Advanced threat protection

CIS Control 11: Data Recovery
• Backups: Automated, encrypted, tested
• Retention: Per policy (see Template 07)
• Recovery: RTO 4h, RPO 5 min

CIS Control 12: Network Infrastructure Management
• Network diagram: Current documentation
• Segmentation: VLANs, subnets, security zones
• Secure protocols: TLS 1.3, SSH v2, no legacy

CIS Control 13: Network Monitoring
• Traffic analysis: Continuous monitoring
• IDS/IPS: Deployed and tuned
• Packet capture: For forensics

CIS Control 14: Security Awareness
• Training: Annual mandatory training
• Phishing: Quarterly simulations
• Reporting: Easy incident reporting

CIS Control 15: Service Provider Management
• Vendor assessment: All vendors evaluated
• Contracts: Security requirements included
• Monitoring: Performance tracking

CIS Control 16: Application Security
• SDLC: Security integrated
• Code review: Mandatory peer review
• SAST/DAST: Automated testing in CI/CD

CIS Control 17: Incident Response
• IR plan: Documented and tested
• IR team: Defined roles, 24/7 coverage
• Exercises: Quarterly tabletop

CIS Control 18: Penetration Testing
• Frequency: Annual external penetration tests
• Scope: Full stack (application, infrastructure, network)
• Remediation: All findings addressed

OWASP (Open Web Application Security Project)

Status: ✅ OWASP Top 10 mitigations implemented

OWASP Top 10 (2021) Protections:

A01: Broken Access Control
• Mitigation: RBAC, least privilege, authorization checks
• Testing: Automated access control tests

A02: Cryptographic Failures
• Mitigation: TLS 1.3, AES-256, proper key management
• Testing: SSL Labs scans, crypto reviews

A03: Injection
• Mitigation: Parameterized queries, input validation, ORM
• Testing: SAST tools, manual code review

A04: Insecure Design
• Mitigation: Threat modeling, security architecture reviews
• Testing: Design reviews, security champions

A05: Security Misconfiguration
• Mitigation: Hardening, config management, principle of least functionality
• Testing: Automated config scans

A06: Vulnerable & Outdated Components
• Mitigation: Dependency scanning, regular updates
• Testing: Dependabot, npm audit, pip-audit

A07: Identification & Authentication Failures
• Mitigation: Strong passwords, MFA, session management
• Testing: Authentication testing, brute force protection

A08: Software & Data Integrity Failures
• Mitigation: Code signing, integrity checks, secure CI/CD
• Testing: Supply chain security analysis

A09: Security Logging & Monitoring Failures
• Mitigation: Comprehensive logging, SIEM, alerting
• Testing: Log review, alert testing

A10: Server-Side Request Forgery (SSRF)
• Mitigation: Input validation, allowlists, network segmentation
• Testing: SSRF-specific tests

Secure Development:
• SSDLC: Security Development Lifecycle
• Training: Secure coding training for developers
• Tools: SAST (static), DAST (dynamic), SCA (dependencies)
• Peer review: All code changes reviewed
• Threat modeling: For new features

Other Standards & Compliance

SOC 2 Type II

Status: 🔄 Planned for H2 2026

Scope: Security, Availability, Processing Integrity

Trust Service Criteria:
• Common Criteria: Foundation for all SOC 2
• Security: Controls for unauthorized access
• Availability: System uptime and performance
• Processing Integrity: Accurate, complete, timely processing

Preparation:
• Controls: Aligned with ISO 27001 implementation
• Evidence: Documentation being collected
• Readiness: Internal assessment completed
• Auditor: Selection in progress

Sector-Specific Requirements (Insurance)

Financial Supervision Act (Wft)
• Scope: Indirectly via insurance clients
• Compliance: Facilitating client compliance
• Outsourcing: Art. 4:15 and 4:16 compliance
• Due diligence: Supporting client audits

Solvency II
• Scope: Insurance client requirements
• IT governance: Supporting client SCR calculations
• Operational risk: Documentation for client risk models
• Outsourcing: Transparent reporting

NIS2 Directive
• Status: Monitoring implementation (2024)
• Scope: May apply as "essential service"
• Preparation: Alignment with DORA and ISO 27001
• Timeline: Full assessment by 2024 deadline

Compliance Governance

Compliance Management

Compliance Team:
• Compliance Officer: Overall responsibility
• FG (DPO): Privacy compliance
• Security Lead: Technical compliance
• Legal Counsel: Regulatory interpretation
• Internal Audit: Compliance verification

Compliance Program:
• Policy framework: Comprehensive policies
• Risk assessments: Regular compliance risks
• Training: Role-specific compliance training
• Monitoring: Continuous compliance monitoring
• Audits: Internal and external audits
• Reporting: Regular compliance reporting
• Improvement: Continuous improvement process

Metrics & KPIs:
• Compliance posture: % compliant controls
• Training completion: % employees trained
• Audit findings: Number and severity
• Remediation time: Time to close findings
• Incidents: Compliance-related incidents
• Risk score: Overall compliance risk

Reporting:
• Monthly: Metrics dashboard to management
• Quarterly: Comprehensive report to Board
• Annual: Formal compliance attestation
• Ad-hoc: Regulatory inquiries, audits

Audits & Assessments

Internal Audits

Frequency: Quarterly
Scope: All compliance frameworks
Process:

  1. Audit planning and scope definition

  2. Evidence collection and testing

  3. Findings documentation

  4. Management response

  5. Remediation tracking

  6. Verification or remediation

Last Audit: [Date]
Next Audit: [Date]

External Audits

ISO 27001 Certification Audit: Q1 2026 planned
SOC 2 Type II Audit: H2 2026 planned
DORA Supervisory Audit: As required by regulators
Customer Audits: On request, supported

Audit Support:
• Documentation: Comprehensive evidence available
• Personnel: Subject matter experts available
• Facilities: Remote or on-site (COVID-dependent)
• Follow-up: Action plans for all findings

Third-Party Assessments

Penetration Testing: Annual
Vulnerability Assessments: Weekly
Security Ratings: Continuous (BitSight, SecurityScorecard)
Privacy Assessments: Annual DPIA reviews

Regulatory Engagement

Regulators

Dutch Data Protection Authority (AP) - Privacy
• Relationship: Responsive, cooperative
• Communication: FG is primary contact
• Reporting: Data breaches within 72 hours
• Audits: Support AP audits when requested

De Nederlandsche Bank (DNB) - Financial
• Relationship: Via insurance clients
• Support: Client regulatory compliance
• Reporting: Support client reporting

European Regulators
• EIOPA: European Insurance regulator
• ENISA: EU cyber security agency
• Monitoring: Regulatory developments

Industry Participation

Sector Groups:
• Insurance cybersecurity working groups
• Financial sector ISAC (information sharing)
• DORA implementation forums
• AI ethics initiatives

Standards Bodies:
• ISO contributing member
• NIST CSF implementation
• CIS Controls community
• OWASP participation

Compliance Roadmap

2025 Priorities

Q1 2025:
• ISO 27001 certification audit
• DORA full compliance verification
• EU AI Act risk assessments completed

Q2 2025:
• SOC 2 readiness assessment
• NIS2 gap analysis
• Penetration test execution

Q3 2025:
• SOC 2 Type I audit initiation
• DORA resilience testing
• Privacy program maturity assessment

Q4 2025:
• ISO 27001 surveillance audit
• Year-end compliance review
• 2026 planning

2026 Goals:
• SOC 2 Type II certification
• ISO 27018 (Cloud Privacy) consideration
• ISO 27017 (Cloud Security) consideration
• Continuous improvement

Emerging Regulations

Monitoring:
• NIS2 implementation
• AI Act technical standards
• Cyber Resilience Act
• Data Act
• eIDAS 2.0

Preparation:
• Gap analyses ongoing
• Regulatory tracking system
• Legal counsel engaged
• Industry participation

Customer Due Diligence Support

What We Provide

Documentation:
• This Trust Center: Comprehensive security documentation
• Compliance summaries: Per framework
• Certificates: ISO, SOC reports (when available)
• Policies: Security, privacy, incident response
• Assessments: Penetration test summaries

Questionnaires:
• Security questionnaires: Standardized responses
• Compliance questionnaires: Framework-specific
• Response time: 5 business days
• Format: Excel, Word, online portals

Audits:
• Right to audit: Included in contract
• Frequency: Reasonable intervals (e.g., annual)
• Scope: Security and data handling practices
• Reports: Summary reports provided
• Findings: Remediation plans for issues

Certifications:
• Compliance letters: Available upon request
• SOC 2 reports: When certified (H2 2026)
• ISO certificates: When certified (Q1 2026)
• Custom certifications: On request, legal review

Support:
• Dedicated support: For compliance inquiries
• Response time: 48 hours for initial response
• Escalation: To Compliance Officer if needed
• Follow-up: Until resolution

Continuous Improvement

Sources of Improvement

• Audit findings: Internal and external
• Incident reviews: Lessons learned
• Industry best practices: Benchmarking
• Regulatory changes: New requirements
• Technology evolution: New capabilities
• Customer feedback: Security concerns
• Threat landscape: Emerging threats

Improvement Process

  1. Identification: Gap or opportunity identified

  2. Assessment: Impact and feasibility analysis

  3. Approval: Management authorization

  4. Planning: Implementation plan

  5. Execution: Implementation

  6. Verification: Testing and validation

  7. Documentation: Update policies/procedures

  8. Communication: Stakeholder notification

  9. Training: Update training materials

  10. Monitoring: Ongoing effectiveness

Contact & Resources

Compliance Inquiries

• Compliance Officer: onesurance
• Data Protection Officer: onesurance
• Security Team: onesurance
• Legal: onesurance

Documentation Requests

• Trust Center: onesurance
• Security documentation: onesurance
• Compliance summaries: onesurance
• Audit reports: onesurance (NDA may be required)

Certifications & Attestations

• ISO 27001: Q1 2026 (planned)
• SOC 2: H2 2026 (planned)
• Current status: Available upon request

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997

Compliance Status Summary:
✅ AVG/GDPR: Compliant
✅ DORA: Compliant
🔄 ISO 27001: Q1 2026
✅ EU AI Act: Monitoring
✅ NIST CSF: Tier 3
✅ CIS Controls: 18/18
✅ OWASP Top 10: Mitigated
🔄 SOC 2: H2 2026 planned