TL;DR: Solvency II compliance depends on traceable data, accountable governance, and defensible disclosures across capital calculations, supervision, and reporting, according to Collibra. The governance lesson is broader: regulated data programmes fail when lineage, ownership, and quality controls are treated as documentation instead of operational controls.
NHIMG editorial — based on content published by Collibra: Solvency II, solved: 3 ways Collibra builds lasting compliance
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should organisations prove that regulated reporting data is trustworthy?
A: They should treat lineage, approval history, and data quality rules as evidence controls, not administrative extras.
Q: Why does governance workflow matter for compliance programmes?
A: Because policy alone cannot prove accountability.
Q: What do security teams get wrong about data lineage and access control?
A: They often treat both as separate documentation tasks instead of as evidence of control.
Practitioner guidance
- Map critical data paths end to end Identify which source systems, transformations, manual overrides, and report outputs influence Solvency II calculations, then document the lineage for each critical field so auditors can reconstruct the number without ad hoc explanation.
- Assign named owners to regulated data assets Tie each high-value reporting dataset to a steward or owner who is accountable for approvals, exceptions, and issue resolution, and ensure that ownership is reflected in the workflow rather than only in policy documents.
- Standardise business terms and reference codes Create one controlled glossary for report terms, codes, and definitions so finance, risk, and IT teams use the same meaning when preparing disclosures and responding to audit questions.
What's in the full article
Collibra's full post covers the operational detail this post intentionally leaves for the source:
- The specific ways Collibra maps data lineage from source systems through transformations into Solvency II reports.
- How stewardship assignments and workflow automation are used to operationalise approvals and issue resolution.
- The role of policy management, business glossary, and reference data controls in disclosure consistency.
- Examples of how the platform is positioned across Pillar 1, Pillar 2, and Pillar 3 reporting obligations.
👉 Read Collibra's analysis of Solvency II compliance and data governance →
Solvency II and data lineage: what IAM teams should notice?
Explore further
Solvency II exposes a governance truth that identity teams already know: traceability matters only when it is operational. Collibra’s framing makes clear that compliance depends on being able to reconstruct how figures were produced, approved, and disclosed. That is the same governance expectation IAM teams face when they cannot explain who changed access, when, and under what authority. The practitioner conclusion is simple: if you cannot reconstruct the control path, you do not have a defensible control.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the same guide.
A question worth separating out:
Q: How should teams respond when a control path cannot be reconstructed?
A: They should pause reliance on that control for regulated outputs, identify the missing evidence step, and close the gap before the next reporting cycle. If the organisation cannot explain the path from source to decision, the safest assumption is that the control is not yet auditable.
👉 Read our full editorial: Solvency II compliance depends on auditable data lineage