Cyber Space: Global insights on cyber and data risk for insurers

International

Cyber Resilience Regulation: What does the current EU and UK position mean for cyber insurance?

In an increasingly aggressive cyber threat landscape, it is no surprise that cyber resilience has become a key consideration for the EU Commission and UK Government, with a focus on ensuring that businesses and critical infrastructure can respond to and recover from cyber incidents.

The overarching intention is to synchronise standards in order to update or establish clear security requirements, improve risk management practices, and enhance accountability for organisations handling sensitive data, with a view to reducing the financial and operational impact of cyber threats.

We consider the key regulatory changes in detail below, followed by our thoughts on what this may mean for cyber insurers. We however note that the increased regulation of cyber resilience is, in most cases, a positive development which may lead to a more structured and risk-aware cyber insurance market.

Network and Information Directive (NIS2)

The NIS2 directive, which was introduced in January 2023 with mandatory implementation by October 2024, has significantly changed the EU's cybersecurity landscape. It harmonises measures across critical sectors, requiring a comprehensive risk management framework for entities, including those using network and information systems like Internet of Things (“IoT”) devices.

NIS2 is a considerable upgrade on the existing NIS directive with a much broader scope, automatically covering both “essential” and “important” entities (based on sector and company size) in “highly critical” (e.g. energy and health) and “other critical” (e.g. waste management and manufacturing) sectors.

The directive requires organisations to implement more stringent cyber security measures including stricter risk management practices, improved incident response and also tightens incident notification duties, requiring entities to report high-impact incidents within 24 hours. There are significant penalties for non-compliance, including fines.

Significantly, the directive places a clear emphasis on the security of IT supply chains, requiring organisations to assess and manage risks associated with their suppliers and service providers who will also now be subject to regulatory oversight.

It is worth noting that the directive represents minimum requirements. Member States are therefore permitted to impose stricter regulations. When placing or writing business that may be captured by NIS2, it is therefore crucial to check the requirements for local compliance within the EU.

Digital Operational Resilience Act (DORA)

DORA, which was adopted in December 2022 and applied from January 2025, relates specifically to the financial sector. As with NIS2, it has the aim of further strengthening resilience by introducing common rules and standards to manage information and communication technology (“ICT”) risks.

DORA is built on five pillars – (i) ICT risk management; (ii) ICT incident management; (iii) digital operational resilience testing; (iv) ICT third-party risk; and (v) information sharing and applies to a broad scope of financial entities and certain ICT third-party service providers to those entities.

The main requirements set out under DORA relate to (a) internal governance management with specific responsibilities for the members of the management bodies; (b) the management of ICT risk and incident response; (c) digital operational resilience testing; (d) risk management and contractual requirements; and (e) information sharing. The key difference with NIS2 is, therefore, the specific regulatory oversight of and compliance by the members of financial entities’ management bodies. Outside of cyber cover, this poses a clear risk in respect of D&O exposure which may now need to be factored in.

In this respect, failure to either address or adequately address the requirements of DORA may lead to notable administrative sanctions from the relevant competent authorities alongside any corporate law liabilities for applicable entities and, where relevant, their managers/D&Os. 

EU Cyber Resilience Act (the Act)

The Act came into force in December 2024 and will apply from December 2027. It relates to companies that develop, manufacture, import or distribute products with digital elements (mainly IoT devices, such as smart speakers, autonomous vehicles, software applications and cloud services) on the EU market, regardless of their location.

Its key objectives are: (i) enhanced security of digital products and services (such as software and hardware) by ensuring these are designed and developed with robust cybersecurity measures from the outset; (ii) harmonise cyber security requirements by establishing a common set of standards across the EU for business operating within the digital market; (iii) improve incident reporting; and (iv) increase consumer trust by ensuring that digital products and services meet high cybersecurity standards.

The Act outlines specific compliance measures, including regular security assessments, vulnerability management, and the implementation of “security-by-design” principles. Non-compliance with the Act can result in significant penalties, including fines and restrictions on market access.

UK Cyber Security and Resilience Bill (the Cyber Bill)

Whilst not in direct lockstep with the EU, the UK government announced the Cyber Bill in July 2024. At the time of writing, this is in pre-legislative scrutiny and is intended to be introduced to the UK Parliament in 2025.

Current information indicates that the Cyber Bill will follow a similar approach to that taken by the EU in NIS2 and CRA to ensure critical infrastructure and digital services are secure. We note there is presently no intention for a UK version of DORA.

We will comment on the Cyber Bill further as it progresses, but it is relevant to note that the EU legislation mentioned above is each intended to have extraterritorial effect. As such, NIS2 and DORA will apply to UK businesses operating in the EU or with EU based customers and CRA to businesses who develop, manufacture, import or distribute products with digital elements on the EU market.

Comment and Considerations for Cyber Insurers

We consider that the key take-home from the above is that each piece of legislation, whilst targeted at a different audience, is focused on increased harmonisation of cyber resilience across Europe, enhanced security operations and improved reporting/information sharing. As noted at the outset, this appears to be a positive step.

From an insurance perspective, it is anticipated that the stricter regulatory requirements being imposed, across a wider spectrum of organisations, will likely result in increased uptake in cyber insurance and an increased use of risk management services.

At the same time, it is also expected that those businesses electing to buy cyber insurance may well be better risks, and those with inadequate safeguards could potentially be charged higher premiums given the higher regulatory exposure. We would, however, caution that brokers and underwriters should be alive to the fact that not all organisations (especially those supplying services to regulated entities) will be aware that they fall within the scope of the new regimes or the extent of their increased obligations and requirement to invest in enhanced cybersecurity. This may, therefore, become a relevant consideration within the placing process.  

We also consider it likely that brokers and underwriters may well want to consider the scope of cover currently provided in light of the changes described above. We say this because, whilst a most cyber policies provide cover for losses arising out of regulatory investigations, these may be limited to privacy and data only (such as breaches of the GDPR) and not include the regulation of operational resilience. The cover offered may also need to take account of the increased reporting and notification costs which may follow the new regulations and the potentially stricter financial penalties facing non-compliant businesses as well as the scope for increased contractual liability and civil litigation that may follow the increase in regulation.  

As alluded to above, other classes of Insurance, such as D&O and Financial Institutions, may also wish to consider the potential implications of the new legislative regime, especially where this places obligations and liability for cyber security on senior management.

When considering all of the above, CMS’ global cyber and data breach team has longstanding experience (alongside technical partners) in assisting organisations, including those falling within the new legislative regimes and their supply chains, and their insurers, in relation to cyber breach preparedness and improved cyber resilience. Please contact the authors if you would like to discuss further.

Cyber Space – More to come…

This article is part of our Cyber Space series. These monthly articles, produced for the cyber insurance market are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across jurisdictions. As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.