Generative AI for the insurance industry

DORA document comparison as a complex, data-rich case

Download Article
  • Dr. Oliver Hüfner
  • 11 November 2025

Click here to view the German version

 

The Digital Operational Resilience Act1  (DORA) is an EU regulation for financial sector firms. DORA sets out highly detailed requirements for IT systems, with the aim of enhancing the resilience of IT operations. The regulation is designed to help firms prevent IT crises and respond effectively to disruptions, such as cyberattacks.

Following the regulation’s entry into force in January 2023, all major financial institutions launched projects to ensure compliance with DORA’s requirements. To check compliance, firms began by conducting gap analysis using their own IT documentation and process records. The primary sources for these analyses – regulatory requirements and internal documentation – were written in natural language. This made the use of generative AI attractive from the outset, reducing cost and effort while maintaining high-quality results.

The DORA gap analysis is representative of many generative AI use cases. They are complex and data-rich, differing from simpler data-intensive tasks in two ways:

  • diverse source types. The content originates from different types of sources with different functions – in DORA’s case, legal texts and IT documentation
  • cross-document comparison. The goal is not merely to extract answers from a single source, but to identify discrepancies across documents.

These complexities place higher demands on both generative AI model and the overall solution design. To illustrate this further, we examine another gap analysis required on the road to DORA compliance.

 

DORA and outsourcing management

DORA sets out highly specific requirements for contracts with external IT service providers – for instance, mandatory termination clauses. As a result, firms face the challenge of reviewing all their IT contracts against these obligations2. Even smaller organizations may have hundreds of contracts, differing in structure, length, and detail. Without generative AI, this review process would require considerable manual effort.

 

So how can this complex, data-rich use case be effectively addressed using generative AI?

Translating DORA requirements into actionable rules
The first step is to identify the relevant DORA provisions for IT contracts and convert them into actionable rules. For example, regarding termination clauses, the rule is:

Check whether the contract contains a termination clause. Such rules are then formalized within prompts. At this point, the approach resembles traditional rule-based AI, used in areas like invoice checking since the 1990s. The key difference is that generative AI understands natural language, reducing the need for highly detailed rule sets. Moreover, subject matter experts gradually refine prompts until results improve.

Experience shows that even minor prompt changes can enhance results. However, adjusting longer prompts may also cause unintended side effects. This makes it essential for domain experts to have at least a basic technical understanding of generative AI, or to work closely with AI specialists. Agile collaboration between business and IT is therefore well-suited to generative AI projects. Because improvements often depend on fine-tuning, these projects typically require more frequent interaction than other agile initiatives.

 

AI working with experts

In complex cases such as DORA contract reviews, generative AI serves as a valuable support tool but does not replace human judgment. A three-step approach has emerged in practice:

  1. Create and refine a prompt through extensive testing until results are reliable
  2. Apply the refined prompt “in production” to real contracts
  3. Have experts validate the AI outputs.

To simplify the expert’s review, AI outputs are typically presented in an excel file with color coding: green for compliant clauses, red for deviations, and yellow for unclear cases. This visual format allows experts to focus quickly and reduces workload significantly when prompts are well-designed. Experts therefore remain central, but their effort is reduced thanks to AI pre-processing.

 

Do not underestimate preparation

Prompts should be tested against real contracts from the outset. Although generative AI can easily create sample contracts, real agreements often contain unexpected variations. Only signed contracts have legal force – and many older agreements may exist only as scanned paper documents. These must first be converted into machine-readable formats.
Major hyperscalers now offer powerful services for this purpose. Yet, challenges can still arise, especially with documents containing tables or graphics. Project planning should therefore allow sufficient time to prepare all relevant contracts in the correct format.

 

Outlook

In the next article in this series, we will examine another complex, data-rich use case with a slightly different technical focus. Importantly, the tools required for smooth implementation of such projects have already been developed by Capco and successfully applied in numerous client engagements.
If you have questions or would like to discuss further, we would be delighted to hear from you.

 

 

References
1 Publications Office
2 See Article 30 (2) h) of the regulation: Publications Office

Related Content

Slide 1 of 3

Contact us

To find out more about working with Capco and how we can help you overcome any potential challenges, contact our experts via the form below.