“We’re a tech company that happens to do insurance. Panorays automates compliance in a way that feels natural to us“
Lemonade, the digital-first insurance giant, has a motto: “Insurance is f***ing awesome.” And they mean it. With a mission to make insurance simple, transparent, and socially impactful, Lemonade has been disrupting the insurance market with AI-powered claims processing and a customer-first approach.
But behind the scenes, Lemonade was facing a less glamorous reality: figuring out how to handle DORA compliance while staying true to their digital-first foundation*.
For Liran Bassa, Lemonade’s Corporate Governance Director, DORA was a high-stakes challenge, demanding full visibility into Lemonade’s vendor ecosystem. “We’re used to building solutions, not filling out forms. The requirements were so heavy, we knew there had to be a better way to do it”.
This was the first experience with DORA compliance, and some aspects of the process required adaptation and learning. While not everything went perfectly, the team successfully met regulatory requirements and established a strong foundation for ongoing compliance efforts.
The Challenge: Spreadsheets vs. DORA
DORA, the EU’s legislative push for stronger digital security in financial institutions, requires that organizations monitor and document their entire ICT subcontracting chain and confirm that every vendor, especially the critical ones, in their ecosystem meets cybersecurity standards.
For Lemonade’s small Corporate Governance team, already juggling Compliance, Risk, Corporate Governance, AI governance, Legal, TPRM, and Privacy responsibilities, DORA added a huge level of complexity.
“The Register of Information (ROI) was a beast,” Bassa admits. “We have to fill out 14 tabs in a gigantic spreadsheet. It felt like it was created for a machine, not humans.”
Up to that point, the team had been using Excel spreadsheets to manage third-party risk and compliance. But as the DORA deadline was approaching, it was proving unsustainable.
The Solution: DORA Compliance by Panorays
To add to the pressure, a joint report from European regulators revealed that only 6% of submissions using Excel were accepted during a dry run. The message was clear: spreadsheets were not going to cut it.
Meanwhile, the team was struggling to collect critical vendor information, manually combing through contracts to assemble compliance data. With DORA’s first ROI report due by April 2025, they knew they had to move faster.
“I looked into other vendors,” recalls Bassa, “but none offered what Panorays did”. Specifically, Panorays’ AI-powered compliance automation stood out as the only solution built to handle DORA third-party risk governance and the ROI.
Results: DORA on Auto-Pilot
Plugging Panorays in, Bassa saw immediate benefits: the platform automated data collection, organized vendor information, and provided a single source of truth for third-party risk management, as well as solved Lemonade’s DORA compliance needs:
| With Panorays |
| Automated monitoring and assessments |
| Comprehensive security ratings and insights |
| Streamlined questionnaires and data collection |
| Integrated third-party risk management platform |
| Confidence in meeting DORA requirements |
Panorays’ DORA Register of Information questionnaires helped us dig into contracts in a simpler way,” says Bassa. “Their algorithms automatically organize and manage the many permutations of ROI data, saving hours of painstaking work”.
Even better, Panorays naturally aligns with DORA’s pillars that relate directly to third-party risk: ICT Risk Management, ICT-related Incident Management and Reporting, and ICT Third-Party Risk Management. By addressing all these areas through a single platform, Lemonade has a clear, scalable path to compliance.
“I’m confident we’ll meet DORA’s requirements,” says Bassa. “And that’s a huge relief.”
5 DORA Lessons from Lemonade
1. Start early and be strategic
With deadlines approaching, start assessing your compliance gaps and resources now to avoid last-minute penalties.
2. Replace spreadsheets with automation
Regulators made it clear that Excel-based Register of Information submissions are likely to fail. Look for a dedicated platform to increase your chances of achieving and maintaining compliance.
3. Maximize compliance for strategic gains
Make compliance an opportunity to improve your organization’s overall security posture and give it a competitive edge.
4. Prioritize vendor visibility
DORA requires detailed visibility into your supply chain. Prioritize tools that map and monitor every third-party and their respective subcontracting chains.
5. Choose scalable solutions
Choose platforms that streamline workflows and minimize manual intervention to get more done with fewer resources.
Compliance, with a twist of Lemonade
Lemonade didn’t set out to be a compliance powerhouse, but when DORA shook up the industry, they turned it into an opportunity to innovate. Partnering with Panorays, Lemonade found a way to manage compliance without losing sight of what makes them unique: an agile, transformative, digital-first brand.
Bassa puts it best: “We’re a tech company that happens to do insurance. Panorays automates compliance in a way that feels natural to us”.