SOLVENCY II PILLAR 2 COMPLIANCE SOFTWARE FOR THE INSURANCE SYSTEM OF GOVERNANCE

Run the Solvency II System of Governance as one live system of record: board responsibility, written policies, the risk management system, the ORSA process, the four key functions including the actuarial function, fit and proper, and outsourcing. 45 Pillar 2 controls, evidenced once and reused across DORA and ISO 27001.

What is Solvency II Pillar 2 and who must comply? Solvency II (Directive 2009/138/EC, with Delegated Regulation (EU) 2015/35 and the EIOPA Guidelines on the System of Governance) is the EU prudential regime for insurers and reinsurers. Pillar 2 is its System of Governance, Articles 40 to 49, covering board (AMSB) responsibility, written policies, the risk management system, the ORSA, the internal control and compliance function, internal audit, the actuarial function, fit and proper, remuneration and outsourcing. It is supervised by EIOPA and national regulators, and it applies to every EU (re)insurer. Venvera covers Pillar 2 only; it does not perform Pillar 1 capital calculations or Pillar 3 QRT reporting. As Solvency II compliance software built around Pillar 2, Venvera manages the System of Governance, the ORSA (Own Risk and Solvency Assessment) as a governed process, the four key functions (risk management, compliance, actuarial and internal audit), and the fit and proper requirements for AMSB members and key-function holders, all evidenced against the EIOPA Guidelines and the expectations of national supervisors.

EIOPA guidelinesDirective 2009/138/ECArt 40-49ORSA processFour key functions
Solvency II Pillar 2 governance dashboard with key functions, ORSA status and crosswalk coverage

AN EFFECTIVE SYSTEM OF GOVERNANCE UNDER ARTICLES 40 AND 41

Solvency II Article 40 makes the administrative, management or supervisory body (AMSB) ultimately responsible for compliance, and Article 41 requires an effective, proportionate system of governance: a clear organisational structure, transparent reporting lines, segregation of duties, and a full set of written policies reviewed at least annually. Venvera is the Solvency II compliance software that acts as the system of record for that governance. It holds the org and reporting-line map, the written policy library with board approval and review cadence, and the evidence behind every one of the 45 Pillar 2 controls. Your CRO and key-function holders work from one live picture instead of a folder of static documents.

  • Organisational structure and reporting lines mapped to Article 41(1)
  • Written policy library (risk management, internal control, internal audit, outsourcing, remuneration) with annual review cadence
  • AMSB approval workflow and sign-off records for every policy
  • Segregation of duties evidenced across the three lines of defence
  • All 45 System of Governance controls tracked with owner, status and evidence
app.venvera.com/solvency-ii-pillar-2Solvency II Pillar 2 ComplianceEU · EIOPA + national regulators · Directive 2009/138/EC · Delegated Reg (EU) 2015/35COMPLIANCE SCORE72%Target 80%Last assessment14 days agoNext internal auditQ3 · on scheduleOpen gaps12CONTROLS114EVIDENCE86GAPS12OVERDUE3Domain readiness% controls implementedGovernance88%Risk management74%Operations62%Third-party56%

RUN THE ORSA AS A GOVERNANCE PROCESS, NOT A SPREADSHEET

Article 45 requires every insurer to conduct its Own Risk and Solvency Assessment and to embed it in decision-making. Venvera runs the ORSA as a governed process: the ORSA policy, the annual and ad hoc trigger schedule, the board approval workflow, the documented record, and the review cadence. It is deliberately the process wrapper, not the numbers. Venvera does not calculate your solvency needs, technical provisions or capital; your actuarial function and capital model own that. Venvera makes sure the assessment is policy-driven, approved by the AMSB, documented, and repeatable, which is exactly what a supervisor tests.

  • ORSA policy with defined methodology, frequency and ad hoc triggers
  • AMSB approval workflow with recorded challenge and sign-off
  • Documentation of the ORSA record and the internal report to management
  • Review cadence and evidence that ORSA output feeds strategic decisions
  • Clear boundary: governance process only, never the capital calculation
app.venvera.com/solvency-ii-pillar-2Solvency II Pillar 2 ComplianceEU · EIOPA + national regulators · Directive 2009/138/EC · Delegated Reg (EU) 2015/35Control LibrarySearch controls…All domains ▾+ Add controlREFCONTROLSTATUSOWNERA.5.1Policies for information securityIMPLEMENTEDJLJ. LewisA.5.9Inventory of information and assetsIMPLEMENTEDJLJ. LewisA.5.23Information security for cloud servicesPARTIALJLJ. LewisA.6.1Screening of personnelIMPLEMENTEDJLJ. LewisA.6.3Information security awareness, educationPARTIALJLJ. LewisA.8.9Configuration managementMISSINGJLJ. LewisA.8.16Monitoring activitiesIMPLEMENTEDJLJ. LewisA.8.24Use of cryptographyIMPLEMENTEDJLJ. Lewis

RISK MANAGEMENT, COMPLIANCE, INTERNAL AUDIT AND ACTUARIAL: ALL FOUR KEY FUNCTIONS

Solvency II names four key functions: risk management (Article 44), compliance within the internal control system (Article 46), internal audit (Article 47), and the actuarial function (Article 48). Each must be operationally independent, held by a fit and proper person, and evidenced. Venvera gives every function its own workspace: mandate, holder, independence evidence, work plan, and the reports it owes the AMSB. The actuarial function's coordination of technical provisions, opinion on the underwriting policy and opinion on reinsurance arrangements are tracked as governance deliverables. Venvera records that the opinions were produced, reviewed and delivered to the board; it does not compute the technical provisions themselves. These insurance-specific functions are native controls, evidenced directly and never auto-satisfied from generic evidence.

  • Risk management function (Art 44) with the risk management system and risk policies
  • Compliance function (Art 46) advising the AMSB and assessing regulatory change
  • Internal audit function (Art 47) with an independent, risk-based audit plan
  • Actuarial function (Art 48): coordination of technical provisions tracked as a governance deliverable (not computed), plus underwriting and reinsurance opinions
  • Independence, fit and proper status and AMSB reporting evidenced per function
app.venvera.com/solvency-ii-pillar-2Solvency II Pillar 2 ComplianceEU · EIOPA + national regulators · Directive 2009/138/EC · Delegated Reg (EU) 2015/35TOTAL128FRESH96STALE24MISSING8Evidence vaultlinked to 114 controlsISMS Policy v3.2PDF · 2.1MBFRESHRisk Register Q2XLSX · 540KBFRESHPenetration Test ReportPDF · 8.3MBSTALEAccess Review 2026-Q1CSV · 120KBFRESHVendor Due DiligenceDOCX · 1.4MBMISSINGIncident Response PlanPDF · 3.8MBFRESH

FIT AND PROPER RECORDS AND OUTSOURCING CONTROL

Article 42 requires everyone who effectively runs the undertaking or holds a key function to be fit (professionally competent) and proper (of good repute and integrity), on appointment and continuously. Article 49 governs outsourcing, especially of critical or important functions, requiring due diligence, contractual safeguards, ongoing monitoring and notification to the supervisor. Venvera keeps the fit and proper register (qualifications, assessments, good-repute checks and renewal dates) and an outsourcing register with criticality classification, contract clauses, service monitoring and the supervisory notification trail. For ICT and security outsourcing, the same contractual and monitoring evidence you maintain for DORA is reused here through the crosswalk.

  • Fit and proper register per Art 42 with reassessment and renewal reminders
  • Good-repute and competence evidence for AMSB members and key-function holders
  • Outsourcing register per Art 49 with critical-or-important classification
  • Contractual safeguards, exit plans and ongoing service monitoring tracked
  • Supervisory notification trail for outsourcing of critical or important functions
app.venvera.com/solvency-ii-pillar-2Solvency II Pillar 2 ComplianceEU · EIOPA + national regulators · Directive 2009/138/EC · Delegated Reg (EU) 2015/35LATEST BOARD REPORTSolvency II Pillar 2 · Q2 2026Prepared for: Board of DirectorsGenerated: 2 minutes ago · 18 pages1. Executive summaryp. 22. Control effectivenessp. 53. Key risks & incidentsp. 84. Remediation progressp. 115. Annex - full control matrixp. 14Download DOCXExport to xBRL-CSVRecent exportsBoard pack - Q2 CyberGenerated 2 min agoFINALManagement review minutesDOCX · 38 pagesFINALRegulator submission - draftxBRL-CSV · 1.2MBDRAFTAuditor requests - responsePDF · 24 artefactsDRAFT

EVIDENCE ONCE, COMPLIANT EVERYWHERE: DORA AND ISO 27001 INTO SOLVENCY II

Most EU insurers are already running DORA, and many hold ISO 27001 or fall under NIS2. Their governance requirements overlap heavily with the Solvency II System of Governance. Venvera's crosswalk maps that overlap so you evidence once: satisfying your DORA or ISO governance controls auto-satisfies the equivalent Solvency II governance controls, namely organisational structure and reporting lines, segregation of duties, protection of records, and the contractual plus monitoring requirements for ICT and security outsourcing. What never auto-satisfies is the insurance-specific core: the ORSA process, the four key functions including the actuarial function, fit and proper, remuneration and non-ICT operational risk. Those stay native and are evidenced directly, because a supervisor would reject borrowed evidence for them, and so do we.

  • DORA and ISO 27001 governance evidence auto-satisfies equivalent Pillar 2 controls
  • Overlap covers org structure, segregation of duties, records protection and ICT outsourcing
  • Insurance-specific controls stay native: ORSA, key functions, fit and proper, remuneration
  • No fake coverage: generic evidence never fills an actuarial or ORSA control
  • One evidence update flows to every mapped framework at once
app.venvera.com/solvency-ii-pillar-2Solvency II Pillar 2 ComplianceEU · EIOPA + national regulators · Directive 2009/138/EC · Delegated Reg (EU) 2015/35Control LibrarySearch controls…All domains ▾+ Add controlREFCONTROLSTATUSOWNERA.5.1Policies for information securityIMPLEMENTEDJLJ. LewisA.5.9Inventory of information and assetsIMPLEMENTEDJLJ. LewisA.5.23Information security for cloud servicesPARTIALJLJ. LewisA.6.1Screening of personnelIMPLEMENTEDJLJ. LewisA.6.3Information security awareness, educationPARTIALJLJ. LewisA.8.9Configuration managementMISSINGJLJ. LewisA.8.16Monitoring activitiesIMPLEMENTEDJLJ. LewisA.8.24Use of cryptographyIMPLEMENTEDJLJ. Lewis

SOLVENCY II PILLAR 2 COMPLIANCE: VENVERA VS MANUAL TRACKING

Capability
Manual Tracking
Venvera
System of governance
Word policies in shared drives, no live status
45 controls with owner, status and evidence in one system of record
ORSA process
Actuarial add-on focused on the number, thin on governance
Governed ORSA: policy, AMSB approval, documentation, review cadence
Four key functions
Tracked in separate spreadsheets per function
A workspace per function with independence and AMSB reporting evidence
Fit and proper
HR files and manual renewal reminders
Live register with reassessment and renewal alerts per Art 42
Outsourcing (Art 49)
Contract list with no criticality or monitoring view
Register with criticality, safeguards, monitoring and notification trail
Cross-framework reuse
Re-evidenced separately for DORA, ISO and Solvency II
Evidence once via the crosswalk; native controls stay native

45

Pillar 2 System of Governance controls

4

Key functions: risk, compliance, audit, actuarial

Art 40-49

System of Governance scope covered

from €399

Per month, EU data residency

FREQUENTLY ASKED QUESTIONS ABOUT SOLVENCY II PILLAR 2

READY TO GOVERN SOLVENCY II PILLAR 2?

Start with a free trial. Map your System of Governance to the 45 Pillar 2 controls, stand up your ORSA process and key-function workspaces, and let the crosswalk pull in the DORA and ISO 27001 evidence you already have. Pillar 2 governance from EUR 399 per month, with EU data residency. Venvera complements your actuarial engine and QRT tool; it does not replace them.

AES-256 Encryption
EU Data Residency
SOC 2 Certified