Cyber insurance under NIS 2
Insurance can pay claims. It does not perform the technical and organisational measures that Article 21 NIS 2 requires.
Overview
Cyber insurance and NIS 2 sit on different layers. A cyber policy is a private contract between an entity and an insurer that pays defined costs after an incident. NIS 2 is public law: Article 21 sets out the technical and organisational measures essential and important entities have to implement, Article 23 sets out the reporting duty, Article 27 sets out the registration duty. None of these duties move to the insurer when a policy is signed.
The BSI states this directly. Its NIS 2 information package describes blanket risk transfer through an insurance policy as not available under the directive's risk management regime. Article 21(1) NIS 2 requires appropriate and proportionate measures, taking into account the state of the art and the cost of implementation. A signed policy is neither a measure nor a substitute for one.
The practical question for an operator in scope of Article 21 is therefore not whether to have cyber insurance, but how the policy interacts with the underlying NIS 2 controls. Most policies require those controls to be in place as a precondition for cover. The same controls are the ones the BSI and national supervisors look at during a NIS 2 audit.
Article 21(1) NIS 2
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed.
Source: Directive (EU) 2022/2555, Article 21(1). The reference points are state of the art, relevant standards, and cost of implementation. Insurance is not in the list.
CIR 2024/2690 Annex, point 2
The policy on the security of network and information systems shall lay down the approach of the relevant entities to managing the security of their network and information systems. The risk management framework referred to in point 2.1 shall identify, and provide for the management of, the risks to the security of network and information systems.
Source: Commission Implementing Regulation (EU) 2024/2690, Annex. The detailed risk management requirements for digital infrastructure entities are framed around a risk management framework with measures, not around financial risk transfer.
§30 BSIG (German transposition)
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind verpflichtet, geeignete, verhältnismäßige und wirksame technische und organisatorische Maßnahmen zu ergreifen, um die Risiken für die Sicherheit der informationstechnischen Systeme, Komponenten und Prozesse, die sie für die Erbringung ihrer Dienste nutzen, zu beherrschen und die Auswirkungen von Sicherheitsvorfällen zu vermeiden oder so gering wie möglich zu halten.
Source: §30 (1) BSIG. The German transposition mirrors Article 21 NIS 2: technical and organisational measures by the entity itself, on a proportionality standard. Insurance is not named as one of the means.
Incident costs and third-party liability
Common cover heads include incident response costs (forensics, legal, communications), business interruption losses tied to a covered cyber event, data restoration costs, and third-party liability for claims by customers or data subjects. Some policies extend to ransom payments in jurisdictions where this is lawful, subject to sanctions screening.
Fines, prior knowledge, war and infrastructure
Regulatory fines are uninsurable in several EU jurisdictions on public policy grounds. Common exclusions also include known vulnerabilities not remediated, unpatched systems below contractually agreed levels, acts of war and state-sponsored attacks (the Lloyd's market wording is broadly adopted), and outages of public infrastructure outside the entity's control.
Preconditions and warranties
Most cyber underwriters require the insured entity to maintain a defined baseline: multi-factor authentication, backup, patching, awareness training, incident response plan. These are the same items covered by Article 21(2) NIS 2 and the CIR. A policy can lapse or pay reduced sums if the warranty controls were not in place at the time of loss.
The Article 21 duty is not transferable
Article 21 addresses the entity. The measures, the documentation and the management body's oversight under Article 20 sit inside the entity. An insurance contract is a financial arrangement after the fact; it does not relocate the legal obligation to act before the fact. The BSI describes this in its information package as ruling out blanket risk transfer.
Proportionality decides the measures, not the premium
Article 21(1) names three reference points: state of the art, relevant standards, and cost of implementation. The proportionality test is applied to the technical and organisational measures themselves. A higher insurance premium does not shift the proportionality assessment; the operator still has to show that the measures are appropriate for the risks the entity actually carries.
BSI — Bundesamt für Sicherheit in der Informationstechnik
The BSI information package on the NIS 2 transposition states that the risk management duty cannot be discharged by transferring the risk wholesale to an insurer. The language used is that blanket risk transfer is excluded. The position aligns the German supervisor with the structure of Article 21: an entity is expected to implement measures, not to pay around them.
ENISA
ENISA's NIS 2 technical implementation guidance is built around the measures listed in Article 21(2) and the CIR annex. The agency's published guidance does not treat cyber insurance as one of the measures; it appears, when at all, as part of an entity's wider risk treatment options under a risk management framework.
GDV — Gesamtverband der Deutschen Versicherungswirtschaft
The German insurance association publishes industry model wordings for cyber cover (AVB Cyber) and surveys on the market. The association's public material describes cyber insurance as one element of a wider risk management approach and points to a baseline of technical controls as a usual underwriting precondition.
Myth: A cyber policy transfers the NIS 2 obligation to the insurer.
The NIS 2 obligations under Articles 20, 21, 23 and 27 address the entity. The insurer is a counterparty under a private contract, not a regulated entity stepping into the operator's NIS 2 duties. The BSI describes blanket risk transfer as excluded under the directive's regime.
Myth: Regulatory fines are covered by the policy.
Regulatory fines under §65 BSIG (the German transposition of the NIS 2 administrative fines under Articles 34 and 36) are widely treated as uninsurable on public policy grounds across EU jurisdictions. Standard wordings exclude them. Defence costs are a separate question and are often covered subject to limits.
Myth: The premium is paid, so the payout is automatic.
Cyber underwriting is conditional on warranty statements about the entity's controls. If the warranty controls (multi-factor authentication, patching levels, backup regime, incident response plan) were not in place at the time of loss, an insurer can reduce or decline the payout. These warranty controls track the Article 21(2) NIS 2 measures.
Brokers and risk managers commonly describe cyber insurance as a layer on top of a working security programme, not a substitute for it. The order they describe is: implement the Article 21 measures first, document them, then approach the market. Underwriters ask for the same documentation that a NIS 2 audit asks for. Asset inventory, supplier register, patching baseline, backup test results, incident response plan, awareness training records.
From a NIS 2 perspective the relevant question for an operator is therefore practical. Does the entity have evidence of the Article 21(2) measures? Are the contractual warranties in the cyber policy consistent with the operator's actual posture? If the two diverge, the gap shows up twice: once with the supervisor under a NIS 2 audit, once with the insurer under a claim.
NISD2 organises the entity's evidence around the Article 21(2) measure areas and the CIR annex. Asset inventory, supplier register, risk treatment plan, incident response plan, awareness training records and management sign-off sit in a single obligation register. The same evidence pack is the one underwriters and supervisors look at.
The platform does not sell, broker or recommend insurance products. It documents the underlying NIS 2 measures so that the question of cover sits on top of a defined posture, not in place of one.
- Directive (EU) 2022/2555 (NIS 2), Article 21 — https://eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690, Annex — https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSIG (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik), §30 and §65 — https://www.gesetze-im-internet.de/bsig_2009/
- BSI — NIS-2 Informationspakete und Hintergrund — https://www.bsi.bund.de/DE/Das-BSI/Auftrag/Gesetze-und-Verordnungen/NIS-2/nis-2_node.html
- ENISA — NIS 2 Technical Implementation Guidance — https://www.enisa.europa.eu/publications
- GDV — Cyber-Versicherung und unverbindliche Musterbedingungen (AVB Cyber) — https://www.gdv.de/