Zoek in de documentatie…

Compliance

Regelgevingskaders

Regelgevingskaders

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Belangrijkste beveligingsprincipes bij Onesurance

End-to end enryptie voor alle data in transit en at rest

Multi-factor authenticatie verplicht voor alle gebruikers

24/7 security monitoring met geautomatiseerde incident detectie

Data residency binnen de EU (Azure West-Europe)

ISO 27001 certificering in voorbereiding (target Q1 2026)

End-to end enryptie voor alle data in transit en at rest

Certificeringen en Standaarden

Onesurance houdt zich aan de hoogste security en compliance standaarden in de financiële sector. Hieronder vindt u een overzicht van onze huidige certificeringen en roadmap.

Certificering

Beschrijving

Status

TRUST CENTER - REGELGEVINGSKADERS

Onesurance Compliance & Security Frameworks
Laatst bijgewerkt: December 2024

Overzicht

Bij Onesurance hebben we een uitgebreid compliance programma geïmplementeerd dat meerdere regelgevingskaders, industriestandaarden en best practices omvat die relevant zijn voor de verzekeringssector in de Europese Unie. Onze meerlaagse aanpak zorgt ervoor dat we voldoen aan de strenge vereisten van gegevensbeschermingswetgeving (AVG), informatiebeveiligingsstandaarden (ISO 27001), operationele veerkracht (DORA) en opkomende AI-regelgeving (EU AI Act), terwijl we erkende beveiligingsframeworks en best practices volgen.

Belangrijkste Regelgevingskaders

AVG (Algemene Verordening Gegevensbescherming)

Status: ✅ Volledig compliant sinds 2018

Scope:
De AVG is de primaire privacywetgeving in de EU en van toepassing op alle verwerking van persoonsgegevens van EU-burgers.

Onze Implementatie:

Governance & Verantwoording
• Functionaris Gegevensbescherming (FG): Benoemd en actief
• Contact FG: dpo@onesurance.ai
• Register van Verwerkingsactiviteiten (ROPA): Volledig bijgehouden
• Data Protection Impact Assessments (DPIA's): Voor hoogrisico verwerking
• Privacy by Design & Default: Ingebouwd in alle systemen

Rechtsbasis voor Verwerking
• Contractuele noodzaak: Primaire rechtsbasis voor klantgegevens
• Gerechtvaardigd belang: Voor security, fraud prevention, verbeteringen
• Wettelijke verplichting: Waar vereist door wet (fiscaal, etc.)
• Toestemming: Voor marketing en optionele features

Rechten van Betrokkenen
• Inzage (Art. 15): Response binnen 1 maand
• Rectificatie (Art. 16): Onmiddellijke correctie mogelijk
• Verwijdering (Art. 17): Binnen 1 maand, met uitzonderingen
• Beperking (Art. 18): Technische blokkering mogelijk
• Dataportabiliteit (Art. 20): Gestructureerde exports beschikbaar
• Bezwaar (Art. 21): Balancing test uitgevoerd
• Geautomatiseerde besluitvorming (Art. 22): Human-in-the-loop vereist

Beveiligingsmaatregelen
• Encryptie: AES-256 at rest, TLS 1.3 in transit
• Toegangscontrole: RBAC, MFA, least privilege
• Pseudonymisering: Waar mogelijk toegepast
• Backups: Encrypted, tested, geo-redundant (binnen EU)
• Incident response: 24/7 monitoring, <72h melding bij breach

Internationale Overdrachten
• Primair: Alle data binnen EU (Azure West-Europe)
• Backup: Azure North-Europe (within EU)
• Geen transfers: Buiten EU/EEA zonder expliciete toestemming
• Waarborgen: EU SCCs indien toekomstige transfer noodzakelijk

Accountability
• Documentatie: Uitgebreid, auditeerbaar
• Training: Verplicht voor alle medewerkers
• Audits: Interne audits kwartaalmatig
• Toezichthouder: Autoriteit Persoonsgegevens (NL)

Compliance Evidence:

  • ROPA volledig gedocumenteerd

  • DPIA's uitgevoerd voor AI modellen

  • FG actief en bereikbaar

  • Incident response procedures getest

  • Employee training completion: 100%

Zie ook: Template 04 (Privacy & Gegevensverwerking)

DORA (Digital Operational Resilience Act)

Status: ✅ Compliant met toepasselijke vereisten (effectief januari 2025)

Scope:
DORA is van toepassing op financiële entiteiten (inclusief verzekeraars) en hun kritieke ICT-dienstverleners. Als SaaS provider voor verzekeraars vallen we onder deze regelgeving.

Vijf Pijlers:

1. ICT Risicobeheer (Art. 6-16)
• Framework: Uitgebreid ICT risk management framework
• Risicobeoordelingen: Jaarlijks en bij significante wijzigingen
• Asset management: Volledige inventarisatie van ICT-activa
• Change management: Controlled change procedures
• Patch management: <48h voor critical, <72h voor high
• Network security: Segmentation, firewalls, monitoring

2. Incident Management & Reporting (Art. 17-23)
• Classification: 4 severity levels (P1-P4)
• Detection: 24/7 monitoring, automated alerts
• Response: <15 min voor P1, defined procedures
• Register: ICT incident log bijgehouden
• Reporting:

  • Significant incidents: Within 24h initial notification

  • Major incidents: Immediate notification

  • Toezichthouder: Per DORA requirements
    • Root cause: Analysis voor alle P1/P2 incidents

3. Resilience Testing (Art. 24-27)
• Frequency: Annual comprehensive resilience testing
• Types:

  • Vulnerability assessments: Weekly automated

  • Penetration testing: Annual external

  • Scenario-based testing: Semi-annual DR tests

  • Red team testing: Annual (planned)
    • Documentation: All test results logged
    • Remediation: Action plans voor identified gaps
    • TLPT: Threat-Led Penetration Testing (planned for 2026)

4. Third-Party Risk Management (Art. 28-30)
• Due diligence: All ICT service providers assessed
• Contracts: Service level agreements with availability targets
• Register: Maintained list of ICT third-party providers
• Monitoring: Ongoing vendor performance tracking
• Concentration risk: Assessed (primary: Microsoft Azure)
• Exit strategies: Documented voor critical vendors
• Subprocessors: Full transparency (see Template 08)

5. Information Sharing (Art. 45)
• Threat intelligence: Monitoring of industry threats
• Sector participation: Member of insurance sector groups
• Vulnerability sharing: Contributing to collective defense
• Confidentiality: Proper handling of sensitive info

Compliance Evidence:

  • ICT risk register maintained

  • Annual resilience tests completed

  • Incident reporting procedures established

  • Third-party risk assessments current

  • Threat intelligence integration active

Zie ook:

  • Template 05 (Infrastructuur)

  • Template 06 (Incident Response)

  • Template 07 (Business Continuity)

ISO 27001:2022 (Informatiebeveiliging)

Status: 🔄 Implementatie voltooid, certificering Q1 2026

Scope:
ISO 27001 is de internationale standaard voor Information Security Management Systems (ISMS). We hebben alle 114 controles geïmplementeerd.

ISMS Componenten:

Leadership & Governance
• Management commitment: Executive sponsorship
• Security policy: Comprehensive, annually reviewed
• Roles & responsibilities: Clearly defined
• Resources: Adequate budget en personnel
• Communication: Regular security updates

Planning
• Risk assessment: ISO 27005 methodologie
• Risk treatment: All risks addressed (accept/mitigate/transfer/avoid)
• Objectives: SMART security objectives defined
• Metrics: KPIs tracked en reported

Support
• Competence: Training programs, certifications
• Awareness: Security awareness voor alle medewerkers
• Communication: Internal en external channels
• Documentation: Comprehensive, version controlled
• Operational control: Documented procedures

Operation
• Operational planning: Security integrated in all processes
• Risk assessment: Regular execution
• Risk treatment: Implementation en monitoring
• Performance evaluation: Regular reviews

Performance Evaluation
• Monitoring: Continuous security monitoring
• Internal audits: Quarterly ISMS audits
• Management review: Quarterly meetings
• Metrics: Security KPIs tracked

Improvement
• Nonconformities: Tracked en resolved
• Corrective actions: Root cause analysis
• Continuous improvement: Kaizen approach
• Innovation: Regular evaluation van new technologies

114 Controls Implemented (14 Annex A Categorieën):

  1. ✅ Organizational controls (37)

  2. ✅ People controls (8)

  3. ✅ Physical controls (14)

  4. ✅ Technological controls (34)

  5. ✅ [All 14 categories completed]

Certification Timeline:

  • Q4 2024: Internal audit en gap analysis

  • Q1 2025: External pre-assessment

  • Q1 2026: Stage 1 en Stage 2 certification audit

  • Q1 2026: ISO 27001:2022 certificate issued

Compliance Evidence:

  • Statement of Applicability (SoA) completed

  • All 114 controls documented

  • Internal audit program active

  • Management reviews quarterly

  • Risk treatment plan current

Zie ook: Template 03 (Gegevensbeveiliging)

EU AI Act

Status: ✅ Monitoring en voorbereiding (implementatie 2026)

Scope:
EU AI Act reguleert AI-systemen op basis van risico. Onze systemen zijn geclassificeerd als Limited Risk of Minimal Risk.

Onze AI Systemen:

Churn Prediction Model
• Risk level: Limited risk
• Purpose: Voorspellen van klantbehoud
• Transparantie: Users informed van AI usage
• Human oversight: Predictions reviewed door underwriters
• Accuracy: Regularly evaluated en improved
• Bias: Monitored voor unfair discrimination
• Documentation: Model cards maintained

Customer Lifetime Value (CLV)
• Risk level: Minimal risk
• Purpose: Customer value berekeningen
• Usage: Strategic planning, niet automated decisions
• Transparantie: Clear communication
• Documentation: Methodology documented

Next Best Product (NBP)
• Risk level: Limited risk
• Purpose: Product recommendation engine
• Human oversight: Recommendations reviewed
• Explainability: Reasoning can be explained
• Bias monitoring: Regular fairness assessments
• Opt-out: Users can disable recommendations

Defend Agent (Conversational AI)
• Risk level: Limited risk
• Purpose: Customer service automation
• Human handoff: Always available
• Transparantie: Users know they're talking to AI
• Training data: Carefully curated
• Monitoring: Conversations logged en reviewed
• Escalation: Complex cases to humans

Compliance Measures:
• Risk assessment: All systems classified
• Transparency: Clear AI disclosure
• Human oversight: Human-in-the-loop design
• Documentation: Comprehensive AI documentation
• Quality management: AI/ML model lifecycle
• Training data: Data governance procedures
• Testing: Bias en performance testing
• Monitoring: Post-deployment monitoring
• Incident response: AI-specific procedures

Compliance Timeline:
• December 2024: Risk classification completed
• 2025: Technical documentation completed
• February 2025: Compliance with transparency obligations
• August 2026: Full compliance with limited risk requirements

Compliance Evidence:

  • AI system inventory maintained

  • Risk assessments completed

  • Transparency notices implemented

  • Human oversight procedures documented

  • Bias monitoring program active

Beveiligingsframeworks & Best Practices

NIST Cybersecurity Framework

Status: ✅ Geïmplementeerd (Maturity Tier 3)

Vijf Functies:

1. Identify
• Asset management: Full ICT inventory
• Business environment: Context understood
• Governance: Policies en procedures
• Risk assessment: Regular assessments
• Risk management strategy: Defined approach

2. Protect
• Access control: RBAC, MFA, least privilege
• Awareness & training: Ongoing programs
• Data security: Encryption, DLP, backups
• Info protection: Classification en handling
• Maintenance: Patch management, hardening
• Protective technology: Firewalls, antivirus, IDS/IPS

3. Detect
• Anomalies & events: SIEM monitoring
• Continuous monitoring: 24/7 SOC
• Detection processes: Defined en tested

4. Respond
• Response planning: Incident response plan
• Communications: Stakeholder notification
• Analysis: Root cause, impact assessment
• Mitigation: Containment procedures
• Improvements: Post-incident reviews

5. Recover
• Recovery planning: Business continuity plan
• Improvements: Lessons learned
• Communications: Stakeholder updates

Maturity: Tier 3 - Repeatable, Adaptable
• Risk-informed
• Integrated into business
• Cyber risk assessed regularly
• Policies en procedures formalized
• Consistent implementation

CIS Controls (v8)

Status: ✅ 18 Critical Security Controls geïmplementeerd

Implementation Highlights:

CIS Control 1: Inventory of Assets
• Hardware assets: Complete inventory in CMDB
• Software assets: License management, approved list
• Updates: Automated discovery, regular reconciliation

CIS Control 2: Inventory of Software
• Authorized software: Whitelist maintained
• Unauthorized software: Blocked or alerted
• Software updates: Centrally managed

CIS Control 3: Data Protection
• Data inventory: Classified en tracked
• Encryption: AES-256 at rest, TLS 1.3 in transit
• Secure disposal: Cryptographic erasure

CIS Control 4: Secure Configuration
• Hardening: CIS Benchmarks applied
• Configuration management: Automated, version controlled
• Change control: All changes reviewed

CIS Control 5: Account Management
• Unique accounts: No shared credentials
• MFA: Enforced voor all users
• Privilege management: Least privilege, PIM

CIS Control 6: Access Control
• Authentication: Strong passwords, MFA
• Authorization: RBAC implemented
• Remote access: VPN, secure channels

CIS Control 7: Continuous Vulnerability Management
• Scanning: Weekly automated scans
• Remediation: <48h critical, <72h high
• Penetration testing: Annual external tests

CIS Control 8: Audit Log Management
• Logging: Comprehensive, centralized
• Retention: 1 year minimum, 7 year for compliance
• Analysis: SIEM correlation rules

CIS Control 9: Email & Web Browser Protection
• Email security: SPF, DKIM, DMARC, anti-phishing
• Web filtering: Malicious sites blocked
• Safe browsing: Policies enforced

CIS Control 10: Malware Defenses
• Antivirus: Endpoint protection deployed
• Signatures: Automatically updated
• Behavior analysis: Advanced threat protection

CIS Control 11: Data Recovery
• Backups: Automated, encrypted, tested
• Retention: Per policy (see Template 07)
• Recovery: RTO 4h, RPO 5 min

CIS Control 12: Network Infrastructure Management
• Network diagram: Current documentation
• Segmentation: VLANs, subnets, security zones
• Secure protocols: TLS 1.3, SSH v2, no legacy

CIS Control 13: Network Monitoring
• Traffic analysis: Continuous monitoring
• IDS/IPS: Deployed en tuned
• Packet capture: For forensics

CIS Control 14: Security Awareness
• Training: Annual mandatory training
• Phishing: Quarterly simulations
• Reporting: Easy incident reporting

CIS Control 15: Service Provider Management
• Vendor assessment: All vendors evaluated
• Contracts: Security requirements included
• Monitoring: Performance tracking

CIS Control 16: Application Security
• SDLC: Security integrated
• Code review: Mandatory peer review
• SAST/DAST: Automated testing in CI/CD

CIS Control 17: Incident Response
• IR plan: Documented en tested
• IR team: Defined roles, 24/7 coverage
• Exercises: Quarterly tabletop

CIS Control 18: Penetration Testing
• Frequency: Annual external pen tests
• Scope: Full stack (app, infra, network)
• Remediation: All findings addressed

OWASP (Open Web Application Security Project)

Status: ✅ OWASP Top 10 mitigaties geïmplementeerd

OWASP Top 10 (2021) Protections:

A01: Broken Access Control
• Mitigation: RBAC, least privilege, authorization checks
• Testing: Automated access control tests

A02: Cryptographic Failures
• Mitigation: TLS 1.3, AES-256, proper key management
• Testing: SSL Labs scans, crypto reviews

A03: Injection
• Mitigation: Parameterized queries, input validation, ORM
• Testing: SAST tools, manual code review

A04: Insecure Design
• Mitigation: Threat modeling, security architecture reviews
• Testing: Design reviews, security champions

A05: Security Misconfiguration
• Mitigation: Hardening, config management, principle of least functionality
• Testing: Automated config scans

A06: Vulnerable & Outdated Components
• Mitigation: Dependency scanning, regular updates
• Testing: Dependabot, npm audit, pip-audit

A07: Identification & Authentication Failures
• Mitigation: Strong passwords, MFA, session management
• Testing: Authentication testing, brute force protection

A08: Software & Data Integrity Failures
• Mitigation: Code signing, integrity checks, secure CI/CD
• Testing: Supply chain security analysis

A09: Security Logging & Monitoring Failures
• Mitigation: Comprehensive logging, SIEM, alerting
• Testing: Log review, alert testing

A10: Server-Side Request Forgery (SSRF)
• Mitigation: Input validation, allowlists, network segmentation
• Testing: SSRF-specific tests

Secure Development:
• SSDLC: Security Development Lifecycle
• Training: Secure coding training voor developers
• Tools: SAST (static), DAST (dynamic), SCA (dependencies)
• Peer review: All code changes reviewed
• Threat modeling: Voor new features

Overige Standaarden & Compliance

SOC 2 Type II

Status: 🔄 Gepland voor H2 2026

Scope: Security, Availability, Processing Integrity

Trust Service Criteria:
• Common Criteria: Foundation voor all SOC 2
• Security: Controls voor unauthorized access
• Availability: System uptime en performance
• Processing Integrity: Accurate, complete, timely processing

Preparation:
• Controls: Aligned met ISO 27001 implementation
• Evidence: Documentation being collected
• Readiness: Internal assessment completed
• Auditor: Selection in progress

Sectorspecifieke Vereisten (Verzekeringen)

Wet Financieel Toezicht (Wft)
• Scope: Indirectly via insurance clients
• Compliance: Faciliteren client compliance
• Outsourcing: Art. 4:15 en 4:16 compliance
• Due diligence: Support client audits

Solvency II
• Scope: Insurance client requirements
• IT governance: Supporting client SCR calculations
• Operational risk: Documentation voor client risk models
• Outsourcing: Transparent reporting

NIS2 Directive
• Status: Monitoring implementation (2024)
• Scope: May apply as "essential service"
• Preparation: Alignment met DORA en ISO 27001
• Timeline: Full assessment by 2024 deadline

Compliance Governance

Compliance Management

Compliance Team:
• Compliance Officer: Overall responsibility
• FG (DPO): Privacy compliance
• Security Lead: Technical compliance
• Legal Counsel: Regulatory interpretation
• Internal Audit: Compliance verification

Compliance Program:
• Policy framework: Comprehensive policies
• Risk assessments: Regular compliance risks
• Training: Role-specific compliance training
• Monitoring: Continuous compliance monitoring
• Audits: Internal en external audits
• Reporting: Regular compliance reporting
• Improvement: Continuous improvement process

Metrics & KPIs:
• Compliance posture: % compliant controls
• Training completion: % employees trained
• Audit findings: Number en severity
• Remediation time: Time to close findings
• Incidents: Compliance-related incidents
• Risk score: Overall compliance risk

Reporting:
• Monthly: Metrics dashboard to management
• Quarterly: Comprehensive report to Board
• Annual: Formal compliance attestation
• Ad-hoc: Regulatory inquiries, audits

Audits & Assessments

Internal Audits

Frequency: Quarterly
Scope: All compliance frameworks
Process:

  1. Audit planning en scope definition

  2. Evidence collection en testing

  3. Findings documentation

  4. Management response

  5. Remediation tracking

  6. Verification of remediation

Last Audit: [Datum]
Next Audit: [Datum]

External Audits

ISO 27001 Certification Audit: Q1 2026 planned
SOC 2 Type II Audit: H2 2026 planned
DORA Supervisory Audit: As required by regulators
Customer Audits: On request, supported

Audit Support:
• Documentation: Comprehensive evidence available
• Personnel: Subject matter experts available
• Facilities: Remote or on-site (COVID-dependent)
• Follow-up: Action plans voor all findings

Third-Party Assessments

Penetration Testing: Annual
Vulnerability Assessments: Weekly
Security Ratings: Continuous (BitSight, SecurityScorecard)
Privacy Assessments: Annual DPIA reviews

Regulatory Engagement

Toezichthouders

Autoriteit Persoonsgegevens (AP) - Privacy
• Relationship: Responsive, cooperative
• Communication: FG is primary contact
• Reporting: Data breaches binnen 72h
• Audits: Support AP audits when requested

De Nederlandsche Bank (DNB) - Financial
• Relationship: Via insurance clients
• Support: Client regulatory compliance
• Reporting: Support client reporting

Europese Toezichthouders
• EIOPA: European Insurance regulator
• ENISA: EU cyber security agency
• Monitoring: Regulatory developments

Industry Participation

Sector Groups:
• Insurance cybersecurity working groups
• Financial sector ISAC (information sharing)
• DORA implementation forums
• AI ethics initiatives

Standards Bodies:
• ISO contributing member
• NIST CSF implementation
• CIS Controls community
• OWASP participation

Compliance Roadmap

2025 Priorities

Q1 2025:
• ISO 27001 certification audit
• DORA full compliance verification
• EU AI Act risk assessments completed

Q2 2025:
• SOC 2 readiness assessment
• NIS2 gap analysis
• Penetration test execution

Q3 2025:
• SOC 2 Type I audit initiation
• DORA resilience testing
• Privacy program maturity assessment

Q4 2025:
• ISO 27001 surveillance audit
• Year-end compliance review
• 2026 planning

2026 Goals:
• SOC 2 Type II certification
• ISO 27018 (Cloud Privacy) consideration
• ISO 27017 (Cloud Security) consideration
• Continuous improvement

Emerging Regulations

Monitoring:
• NIS2 implementation
• AI Act technical standards
• Cyber Resilience Act
• Data Act
• eIDAS 2.0

Preparation:
• Gap analyses ongoing
• Regulatory tracking system
• Legal counsel engaged
• Industry participation

Customer Due Diligence Support

What We Provide

Documentation:
• This Trust Center: Comprehensive security documentation
• Compliance summaries: Per framework
• Certificates: ISO, SOC reports (when available)
• Policies: Security, privacy, incident response
• Assessments: Penetration test summaries

Questionnaires:
• Security questionnaires: Standardized responses
• Compliance questionnaires: Framework-specific
• Response time: 5 werkdagen
• Format: Excel, Word, online portals

Audits:
• Right to audit: Included in contract
• Frequency: Reasonable intervals (e.g., annual)
• Scope: Security en data handling practices
• Reports: Summary reports provided
• Findings: Remediation plans voor issues

Attestations:
• Compliance letters: Available upon request
• SOC 2 reports: When certified (H2 2026)
• ISO certificates: When certified (Q1 2026)
• Custom attestations: On request, legal review

Support:
• Dedicated support: Voor compliance inquiries
• Response time: 48 hours for initial response
• Escalation: To Compliance Officer if needed
• Follow-up: Until resolution

Continuous Improvement

Improvement Sources

• Audit findings: Internal en external
• Incident reviews: Lessons learned
• Industry best practices: Benchmarking
• Regulatory changes: New requirements
• Technology evolution: New capabilities
• Customer feedback: Security concerns
• Threat landscape: Emerging threats

Improvement Process

  1. Identification: Gap or opportunity identified

  2. Assessment: Impact en feasibility analysis

  3. Approval: Management authorization

  4. Planning: Implementation plan

  5. Execution: Implementation

  6. Verification: Testing en validation

  7. Documentation: Update policies/procedures

  8. Communication: Stakeholder notification

  9. Training: Update training materials

  10. Monitoring: Ongoing effectiveness

Contact & Resources

Compliance Inquiries

• Compliance Officer: dpo@onesurance.ai
• Functionaris Gegevensbescherming: dpo@onesurance.ai
• Security Team: security@onesurance.ai
• Legal: dpo@onesurance.ai

Documentation Requests

• Trust Center: www.onesurance.ai/trust-center
• Security documentation: dpo@onesurance.ai
• Compliance summaries: dpo@onesurance.ai
• Audit reports: dpo@onesurance.ai (NDA may be required)

Certifications & Attestations

• ISO 27001: Q1 2026 (planned)
• SOC 2: H2 2026 (planned)
• Current status: Available upon request

Laatst bijgewerkt: December 2024
Onesurance B.V. | Breda, Nederland | KvK: 87521997

Compliance Status Summary:
✅ AVG/GDPR: Compliant
✅ DORA: Compliant
🔄 ISO 27001: Q1 2026
✅ EU AI Act: Monitoring
✅ NIST CSF: Tier 3
✅ CIS Controls: 18/18
✅ OWASP Top 10: Mitigated
🔄 SOC 2: H2 2026 planned