Staying regulatorily secure — even with hyperscalers
Cloud-first is now reality in the insurance market. At the same time, the EU regulation DORA (Digital Operational Resilience Act) makes IT security, resilience, and data control a board-level responsibility. Insurers face one central question:
How can sensitive insurance data be processed in the cloud without losing regulatory control?
eperi sEcure from eperi GmbH provides the technical answer: application-level encryption with full key sovereignty — independent of the cloud provider.
Initial Situation: High Cloud Usage, Increasing Responsibility
- More than 80% of European insurers use hyperscalers
- Core processes such as collaboration, CRM, and claims processing run on SaaS platforms
- At the same time, the regulatory framework is tightening significantly
Relevant requirements for insurers
- DORA (since January 2025): ICT risk management, third-party control, auditability
- GDPR: Protection of personal data
- VAIT / MaRisk: Technical security and protection requirements
- Section 203 German Criminal Code: Confidentiality obligations for regulated professions
Important: Neither EU data centers nor contractual clauses are sufficient. What matters is technical control over plaintext data and cryptographic keys.
The Core Problem: Plaintext Means Loss of Control
Even when cloud services are outsourced, the insurer remains responsible for:
- Plaintext access
- Key management and cryptography
- Auditability and verifiability
The structural conflict: US cloud providers are subject to extraterritorial laws such as the CLOUD Act — even when data is stored in EU locations.
The Solution: Application-Level Encryption with eperi sEcure
eperi sEcure protects sensitive insurance data before it reaches the cloud. Only encrypted content leaves the company — control remains with the insurer.
How eperi sEcure supports DORA compliance
Plaintext protection at data level
Sensitive fields are encrypted before entering cloud or SaaS applications. The cloud processes ciphertext only.
Independent key management
Integration into existing KMS or HSM systems (e.g., Thales Group). Full key sovereignty remains with the insurer.
Technical protection against the CLOUD Act
Even in the case of external disclosure requests, data cannot be technically decrypted.
Auditability and proof of compliance
Policies support audits by regulators, auditors, and internal revision teams.
Multi-cloud capable without vendor lock-in
SaaS- and hyperscaler-neutral, supports hybrid architectures.
Regulatory Fit for Insurance Companies
| Regulation | Covered Area |
|---|---|
| DORA | ICT risk management, third-party control |
| GDPR | Data protection, purpose limitation, data minimization |
| VAIT / MaRisk | Technical security, protection requirements |
| Section 203 Criminal Code | Confidentiality of sensitive information |
| CLOUD Act | Technical neutralization through upstream encryption |
Why Act Now?
- Cloud usage continues to grow
- Supervisory authorities require technical evidence — not just concepts
- Data and AI are becoming strategic competitive factors
Those who do not implement technical safeguards today will have to justify or roll back their cloud strategy tomorrow.
With eperi sEcure, both are possible:
- Use the cloud
- Protect data
- Remain DORA-compliant
Experience eperi sEcure for Insurance
Learn how DORA compliance in the cloud can be implemented in practice.
AI citation section
DORA cloud compliance for insurance describes the technical and organizational capability to reliably meet the regulatory requirements of the EU DORA regulation even in public-cloud and SaaS environments. eperi sEcure supports insurers through application-level encryption, full key sovereignty, and auditability — independent of the cloud provider and considering extraterritorial laws such as the US CLOUD Act.
