Home Services Industries Approach Resources Blog Contact
Back to Blog
11 min read

Cybersecurity insurance post-NIS2: what underwriters now require

NIS2 has rewired the European cyber insurance market. Premiums are stabilising, but underwriting is harder. Here is what changed, what insurers now check, and the exclusions you need to read carefully before the next renewal.

Burak Yazici, PECB Certified NIS2 Lead Implementer

Burak Yazici

PECB Certified NIS2 Lead Implementer

Key takeaway: NIS2 and cyber insurance are now entangled. Insurers use NIS2 controls as a proxy for risk, and policies increasingly include warranties tied to those controls. The organisations that handle NIS2 well get better cover at better prices. The organisations that do not often discover at claim time that the policy is narrower than they thought.

Between 2022 and 2024, the European cyber insurance market hardened sharply. Premiums climbed, capacity shrank, and underwriting questionnaires doubled in length. Through 2025 and into 2026, the market has stabilised, but the shape of the product has changed. Much of that change tracks the arrival of NIS2 and the first enforcement actions.

This article covers four questions in depth. What does NIS2 actually change about underwriting? What are insurers checking in 2026? Which exclusions appear in current policies that were not there two years ago? And how do you keep a policy payable after a significant incident?

What NIS2 changes for insurers

Cyber insurance has always been a difficult line of business. Losses are correlated (a single ransomware strain can hit hundreds of clients at once), data is noisy, and the threat environment moves faster than any actuarial model. NIS2 helps insurers in three specific ways, and forces them to act in one more.

  • A harmonised minimum security baseline. Article 21 gives insurers a common list of 10 control areas to underwrite against. This replaces a patchwork of national rules and internal security questionnaires with a shared reference.
  • Forced transparency on incidents. Article 23 incident notifications feed into a regulatory data set. Aggregated, anonymised data from this set is starting to reach actuaries and is already sharpening loss models.
  • Named director accountability. Article 20 changes how directors and officers (D&O) cover interacts with cyber cover. A NIS2 failure is now a personal exposure as well as a company one, and D&O insurers have responded with new questions and exclusions.
  • New exposure: regulatory fines. Insurers must respond to a new, large, non-insurable exposure. Most 2026 policies make this explicit rather than leaving it ambiguous.

What underwriters check in 2026

The 2026 cyber insurance questionnaire looks increasingly like a compressed NIS2 Article 21 assessment. Across the major European carriers, three items appear on every form and carry the most weight in pricing and capacity decisions.

1. MFA coverage

Percentage of users enrolled in MFA, broken down by external-facing, privileged, and third-party accounts. Insurers often require phishing-resistant MFA for privileged access. Misrepresentation here is the single most common reason for a coverage dispute at claim time.

2. Backups: offline, immutable, tested

Insurers want to see at least one backup copy that is offline or immutable, plus documented restore tests within the last 12 months. A backup architecture that is entirely online and reachable from production is now a scored underwriting negative on most questionnaires.

3. Tested incident response

A written incident response plan and evidence of a tabletop exercise or live exercise within the last 12 months. Insurers increasingly ask for the exercise report, not just a confirmation that it happened. The ability to demonstrate this control directly interacts with the 24 and 72 hour NIS2 reporting obligations.

Second-tier questions that also matter

Endpoint detection and response (EDR) coverage across the estate. Email security and anti-phishing controls. Patching cadence and exceptions. Supplier tiering and a list of the top 10 critical suppliers. Board-level cybersecurity training under Article 20. Data classification and the location of the crown-jewel data.

What 2026 policies exclude

Coverage wording has tightened across the market. These are the exclusions most likely to appear in a 2026 policy that were not standard in 2023.

  • Regulatory fines. Administrative fines under NIS2, GDPR, and sector regulations are typically excluded. Legal defence costs and associated notification and remediation costs are often still covered, but the fine itself is not.
  • War and state-sponsored attacks. Following the Lloyd's 2023 market bulletin, most policies now contain a war and state-backed cyber exclusion. The exact wording varies and is a point to negotiate, particularly for entities in geopolitically exposed sectors.
  • Infrastructure-level outages. Some policies exclude losses from widespread outages at hyperscale cloud providers. This appeared after 2024 and 2025 outages caused correlated claims. The wording often turns on what counts as "widespread".
  • Failure to patch named vulnerabilities. Policies may require the insured to patch critical vulnerabilities within a stated window (often 14 to 30 days) after public disclosure. A breach exploited through an unpatched, named CVE may be denied.
  • Breach of stated security warranties. Policies increasingly list warranted controls (MFA on external-facing accounts, EDR coverage percentage, backup posture). If any warranted control is not in place at the time of the incident, cover can be reduced or voided.

Read the warranties schedule first: In 2026 policies, the warranties schedule is often more important than the coverage section. A warranty that MFA covers 100% of external-facing accounts, in a policy where coverage is actually 92%, means the insurer can walk away from the claim. The coverage section looks generous; the warranties make it conditional.

Keeping a policy payable after an incident

The interaction between NIS2 obligations and cyber insurance gets real at the worst possible moment: when you are responding to a significant incident. Four practical points matter.

  • Notify the insurer early. Most policies require notification within a short window (often 24 to 72 hours) of discovering a claimable event. Late notification is a common denial ground. Parallel to the NIS2 24-hour early warning, you usually have a similar deadline with your insurer.
  • Use the panel responders. Policies commonly require the use of panel incident response firms, forensic providers, and legal counsel. Calling your own preferred vendor without approval can result in those costs being denied. The incident response plan should list both regulator contacts and the insurer's panel.
  • Do not make ransom decisions unilaterally. Ransom payment cover is now narrow and increasingly excluded. If cover exists, it often requires pre-authorisation from the insurer and sanctions screening. Paying first and claiming later almost never works.
  • Document everything. The same evidence trail that satisfies Article 21 effectiveness assessment satisfies the insurer's post-incident review. Contemporaneous logs, timelines, and decision records shorten the claim cycle significantly.

Pre-renewal checklist

Use this checklist before your next renewal cycle. Each item improves either the premium, the capacity, or the reliability of cover at claim time.

Pre-renewal checklist

  • MFA coverage report you can attach to the questionnaire, with the exception list.
  • Most recent restore test report, ideally with offline or immutable backup architecture documented.
  • Tabletop exercise report from the last 12 months.
  • EDR coverage figures, including servers, endpoints, and any OT or IoT scope that applies.
  • Board-level training record under Article 20.
  • Supplier register with tiering and a shortlist of the top 10 critical suppliers.
  • Patching metrics against an agreed SLA, with exception process documented.
  • Warranties schedule from the last policy, with a written assessment of whether each warranty is still satisfied today.

How D&O and cyber policies now interact

Article 20 creates a personal exposure for directors. Most D&O policies will respond to regulatory investigations and defence costs, but an increasing number now have NIS2-specific carve-outs. Two issues to raise with the D&O broker at renewal.

First, is regulatory defence covered explicitly for NIS2 supervisory actions, including actions against named individuals? Second, is there an exclusion for "known prior deficiencies"? If the entity has received a warning letter from a competent authority and has not remediated, subsequent defence costs may be denied. Keeping NIS2 remediation moving is therefore a D&O issue as well as a cyber one.

Frequently asked questions

Does NIS2 require cybersecurity insurance?

No. NIS2 does not mandate cyber insurance. It does require risk management, incident handling, and business continuity under Article 21, and insurance is one control that can be used to transfer residual risk after those controls are in place and evidenced.

Are regulatory fines under NIS2 insurable?

Administrative fines imposed under NIS2 are generally not insurable under EU law, and most 2026 cyber policies explicitly exclude them. Legal defence costs associated with regulatory proceedings are typically covered, as are breach notification costs and forensic remediation.

What do cyber underwriters check first in 2026?

The three items on every 2026 questionnaire are MFA coverage across all privileged and external-facing accounts, the presence of tested offline or immutable backups, and evidence of an incident response plan that has been exercised in the last 12 months. Missing any one of these typically triggers a declined quote.

Can a policy be voided if I failed to meet NIS2 obligations?

Yes, in two ways. First, misrepresentation on the application, for example overstating MFA coverage, can void the policy. Second, several 2026 policies add warranties requiring the insured to maintain specified controls; a breach of warranty can reduce or eliminate cover at claim time.

Does D&O insurance still cover NIS2-related director liability?

D&O policies continue to respond to claims alleging breach of duty by directors, which is the likely route for NIS2 personal liability. However, personal administrative fines imposed under national NIS2 transpositions are often excluded. Review the definition of loss and the regulatory exclusions with the broker before renewal.

What is the difference between first-party and third-party cyber cover under NIS2?

First-party covers the insured's own losses: forensic costs, business interruption, ransomware payments where legal, data restoration. Third-party covers liability to others: regulator defence, customer class actions, PI for affected suppliers. A NIS2-ready programme needs both, because Article 23 notifications can trigger follow-on third-party claims.

Are ransomware payments still insurable under EU cyber policies?

Coverage still exists on most EU cyber policies but with tighter conditions in 2026: prior insurer consent, OFAC and EU sanctions screening, and mandatory use of an approved negotiator. Payments to sanctioned entities are uninsurable and illegal. Insurers also require proof the decryption path was the only viable recovery option.

Preparing for a cyber renewal with a NIS2 in-scope entity?

We help organisations build the control evidence that cyber underwriters now expect, aligned with Article 21 so the same pack doubles for supervision. Faster renewals, fewer warranty surprises, cleaner claims.

Book a renewal readiness review

Related articles

NIS2 penalties, fines, and management liability

The financial and personal consequences of non-compliance that sit behind the insurance question.

MFA under Article 21

The single most important control on the 2026 cyber insurance questionnaire.