Resilience is not just a cyber security issue, but a broader and pervasive concern for all. Many insurers with EU-regulated entities will be in-flight with technology, controls, contractual and organisational compliance activity in readiness for the EU's Digital Operational Resilience Act's (DORA) application on 17 January 2025. DORA and related regulatory activity, such as the UK's Operational Resilience rules and proposed rules regulating Critical Third Parties, reflect concerns over operational resilience risks for the insurance sector, particularly where threat vectors are technology-enabled, as many are. A feature of the new rules is their interest in the mapping of adverse resilience impacts (and firms' impact tolerances to these), and how supply chains may be vulnerable – and not just at the tier 1 level, but all the way down the sub-contractor stack. The CrowdStrike outage in July 2024, which at one point grounded the major US airlines, showed how business-critical systems can be vulnerable to cascading failures originating not from threat actors, but from tech firms.