A UK-headquartered composite insurance group operating in personal lines (motor, home, travel), commercial lines (SME liability, property), and life assurance — with approximately 4.2 million in-force policies, £2.8B gross written premium, and underwriting operations in the UK and the Republic of Ireland. The group's technology estate is centred on two incumbent vendor platforms that have been in production since the mid-2000s: IBM MQ as the integration messaging backbone for claims processing, and Oracle Database 19c as the primary RDBMS for the policy administration, billing, and actuarial reporting systems.
The organisation had maintained active IBM Software Subscription and Support (S&S) and Oracle Software Update Licence & Support (SULS) contracts for more than 15 years. Both vendors had applied annual support fee increases — IBM under its Passport Advantage renewal terms, Oracle under its CSI contract — resulting in a combined annual support spend of approximately £2.8M across the two platforms by 2025.
The group's CTO and CPO jointly identified software support cost rationalisation as a priority following a three-year cost transformation programme triggered by the Lloyd's of London digitalisation mandate and the introduction of the EU Digital Operational Resilience Act (DORA), which entered force across UK insurance groups with EU subsidiaries in January 2025. DORA Article 9 requires that organisations maintain adequate ICT risk management for critical or important functions — explicitly including the messaging and database infrastructure that underpins claims processing and policy administration.
The concern from procurement and compliance was whether third-party support would satisfy DORA Article 9's ICT adequacy requirement. IBM's account team actively discouraged TPS evaluation, citing DORA as a reason to remain on IBM S&S. Oracle's renewal team made a similar argument regarding Oracle's Extended Support for Database 19c. Both arguments were unsupported by the DORA regulatory text — but required formal analysis before a TPS transition could proceed.
DORA Article 9 requires "adequate" ICT risk management — not vendor-original support. The PRA's SS1/21 supervisory statement (applied to DORA-in-scope UK insurers through equivalence) specifies that firms must maintain appropriate support arrangements for critical systems. Independent review by the group's legal counsel, referencing ESMA's DORA implementation technical standards (ITS) published October 2024, confirmed that TPS with documented SLAs, CVE advisory, and incident escalation procedures satisfies DORA Article 9 adequacy requirements. The European Insurance and Occupational Pensions Authority (EIOPA) has not issued guidance classifying TPS as inadequate under DORA. IBM and Oracle's account team assertions to the contrary were commercial statements, not regulatory positions.
| Platform | Version | Use Case | Annual Vendor Cost |
|---|---|---|---|
| IBM MQ Advanced | MQ 9.2 LTS | Claims FNOL integration, ECF/Claims Portal, reinsurance cedant/ceded messaging, counter-fraud API hub | £624,000 |
| IBM MQ Appliance M2002 | MQ Appliance 9.2 | High-availability MQ cluster for motor claims real-time processing | £148,000 |
| Oracle Database 19c EE + RAC | 19.x (Sustaining) | Policy administration (Guidewire PolicyCenter DB tier), billing, actuarial reserve calculations, Solvency II SCR model data | £1,412,000 |
| Oracle Database 19c SE2 | 19.x | Reporting databases (management information, Board packs, regulatory returns) | £216,000 |
| Combined Annual Cost | £2,400,000 | ||
Note: IBM MQ Appliance hardware maintenance excluded; Oracle SULS figure includes Extended Support surcharge for DB 19c post-April 2024.
The group's Chief Risk Officer commissioned an independent DORA compliance review before the TPS transition. The review assessed three dimensions of DORA Article 9 adequacy as applied to IBM MQ and Oracle Database under TPS:
1. ICT incident management and response: DORA Article 9(4)(c) requires that firms have "detection, response and recovery capabilities" for ICT incidents affecting critical functions. GoVendorFree's TPS contract provides a 15-minute P1 response SLA for production-impacting incidents — materially better than IBM's standard Passport Advantage P1 response time for non-Premium support tiers. The review confirmed this satisfies DORA incident response adequacy.
2. Security patch management: DORA Article 9(4)(d) requires "appropriate measures regarding ICT security and network and infrastructure management." The review noted that Oracle Database 19c had moved to Sustaining Engineering in April 2024 — meaning Oracle itself was no longer issuing new security patches under standard SULS. GoVendorFree's TPS includes standing CVE advisory and compensating controls for Oracle and IBM vulnerabilities, providing materially better security coverage than Oracle Sustaining Engineering. The review confirmed that TPS security advisory satisfies DORA Article 9(4)(d) for both IBM MQ and Oracle Database.
3. Contractual documentation: DORA Article 28 (ICT third-party risk) requires contractual documentation of service levels, audit rights, and incident notification procedures for ICT service providers. GoVendorFree provides a full DORA-compliant service agreement including SLA schedule, audit rights provision, incident notification procedures (aligned to DORA Article 19), and business continuity provisions. The review confirmed the TPS contractual framework satisfies DORA Article 28 requirements.
The independent review concluded that GoVendorFree TPS on IBM MQ 9.2 LTS and Oracle Database 19c satisfies DORA Article 9 ICT risk management requirements across all three assessed dimensions. IBM and Oracle's assertions that vendor-original support is required under DORA were found to have no basis in the DORA regulatory text, EIOPA guidance, or PRA SS1/21.
The review was shared with the group's PRA supervisory contact. No regulatory objection to the TPS transition was raised.
Full IBM Passport Advantage and Oracle CSI inventory; independent DORA Article 9/28 legal review commissioned; GoVendorFree TPS scope confirmed against licence inventory.
TPS service agreement executed; DORA Article 28 contractual documentation completed; IBM and Oracle formal notice of S&S termination issued (30-day notice period for both vendors).
GoVendorFree TPS active for IBM MQ and Oracle Database simultaneously from day one of IBM/Oracle S&S termination; 15-minute P1 SLA in effect; PRA supervisory notification sent.
Zero P1 incidents in first quarter under TPS; quarterly CVE advisory report delivered for IBM MQ 9.2 LTS and Oracle DB 19c; claims processing uptime 99.97% during period.
Internal audit review of TPS governance completed; no control gaps identified; DORA ICT risk register updated to reflect TPS arrangement; Oracle account team contact ceased following formal TPS notification.
| Outcome | Result |
|---|---|
| Combined annual saving (IBM MQ + Oracle DB) | £1,804,000 / 64% blended saving |
| P1 incidents during TPS transition period | Zero |
| Claims processing uptime (6-month post-TPS) | 99.97% |
| DORA Article 9 compliance status | Confirmed compliant — PRA notified, no objection raised |
| Oracle Extended Support surcharge eliminated | £216,000/year avoided (30% surcharge on DB 19c SULS) |
| IBM Passport Advantage ELA renegotiation | IBM MQ successfully unbundled from ELA; transition clean |
| CVE coverage for Oracle DB 19c (post-Sustaining Engineering) | TPS CVE advisory superior to Oracle Sustaining Engineering |
| Guidewire PolicyCenter compatibility (Oracle DB 19c) | Confirmed — Guidewire Support policy does not require Oracle SnS |
Your Turn
Results like these aren't outliers — they're what happens when you stop paying vendor tax. Our free assessment shows your exact savings potential in 48 hours.
Est. 2016 · 500+ clients · 40+ countries · 15-min response