The impact of the new 'cybersecurity' directive, NIS2, on insurers
Although the exact date is not yet clear, the entry into force of the new law is a question of when, not if. The European Union is working on a new cybersecurity directive: NIS2 (NIS: Network and Information Systems). As the name suggests, this law is the successor to the existing 'NIS' Directive, which has been in force since 2016. The new directive tightens cybersecurity regulations, which is good news for insurers.
The NIS Directive aims to make European companies more resilient to cyberattacks. Companies that fall within its scope are required to meet a certain level of cybersecurity. The current directive applies to companies that are considered to provide essential services, in areas such as energy, drinking water and transport. The proposed NIS2 Directive provides for wider coverage of sectors, including telecommunications, waste management and food. In addition, the size of a company no longer has any effect on whether or not it must comply with the directive. Member States may also opt to extend the scope.
As Arjan Halma, from Eye Security, explains: "Although the directive has not yet been finalised and still needs to be transposed into national legislation, it is clear that European companies need to be in a position to better arm themselves against cyberattacks. This will make Europe more secure as a whole, which is beneficial for insurers offering cyber insurance."
Making cyber risk manageable again
Thus far, insurers have struggled to manage cyber risk. The likelihood of a company experiencing a cyberattack is steadily growing, as is the potential impact of such an attack. For example, the damage caused worldwide by ransomware in 2021 was estimated at $20 billion. "As a result, insurers impose increasingly stringent requirements on companies that want to take out cyber insurance. Some insurers are also withdrawing from the cybermarket entirely because of the unpredictable nature of cybercrime," says Halma.
Securing and insuring
The new directive will therefore benefit insurers. Many previously 'uninsurable' companies and even entire industries will have to implement measures to become more resilient and minimise the likelihood of harmful cyberattacks. Halma: "At Eye Security, we believe in the combination of security and insurance, precisely because this allows you to have a direct impact on the cybersecurity of a company. Insurance is the final piece of the puzzle, so that the residual risk is also covered. We work with our partners—many of whom are insurers—to help manage their clients' cyber risk. With the entry into force of NIS2, together we can help more companies in Europe manage their cybersecurity."
Related articlesShow all
Discover why cyber insurance is essential for comprehensive risk management in our interview with Arjan Halma, Managing Director Eye Underwriting.
The insurance market is now aware that cyber risk is difficult to manage and therefore difficult to insure. Read more in our blog.
Our cyber experts have analyzed over eleven thousand alerts from the past year. In this blog, we share the results of this analysis. Read more.
Improve your digital security in the new year with these cybersecurity resolutions. Protect your business from the growing threat of cyberattacks in 2023.