Estimated reading time: 6 minutes
A new joint report from Aon and A&O Shearman highlights growing concerns about cyber insurance across EMEA. Regulators are now focusing on more than just privacy cases, expanding into sector rules, resilience requirements, and executive oversight. Enforcement is becoming quicker and more complex. The report notes that the sources of cyber fines have “expanded sharply,” while whether those fines can be insured remains “uncertain and jurisdiction specific.” As a result, coverage often depends on local public policy and whether something is “insurable by law,” with many countries limiting coverage for criminal or punitive administrative fines.
There is an even bigger challenge beyond financial penalties. Regulators are increasingly using non-monetary penalties, such as orders to stop processing, mandatory audits, operational suspensions, or license actions. These measures can stop a business just as quickly as a ransomware attack. The report also highlights that directors are now more accountable. Boards are expected to provide stronger oversight, invest in security, and be prepared for incidents. For example, if a company were an airport, a cyber incident could lead regulators to ground all flights, inspect every facility, and even revoke licenses. While insurance can help with some costs, it cannot always get operations back to normal.
Cyber Insurance Meets A New Enforcement Era
Cyber incidents now affect all sectors and regions. In response, regulators are introducing new resilience requirements and stricter penalties. They are also holding companies, executives, and board members accountable.
The report “The Insurability of Cyber Fines” describes cyber insurance as “a critical pillar” for large organizations. It connects insurance to recovery costs and resilience driven by underwriting. The report also encourages leaders to understand policy limits as early as possible.
The Regulatory Perimeter Keeps Expanding
Until recently, most cyber enforcement focused on data protection. Now, Europe is adopting major frameworks like DORA and NIS2. The UK has also introduced a Cyber Security and Resilience Bill.
The report highlights three main trends. First, it notes that “the sources of cyber fines have expanded considerably.” Regulators are now adding cyber-specific and sector rules to traditional privacy enforcement.
GDPR still anchors the EU approach. It allows fines up to EUR 20 million or 4% of global turnover. Authorities also stack national laws on top of GDPR duties.
NIS2 increases resilience requirements for critical sectors, putting more pressure on risk management and incident reporting. Additional sector rules like DORA and the Cyber Resilience Act further expand the scope of exposure.
Fines Multiply, But So Do Non-Monetary Sanctions
Money is only part of the threat. The report highlights “non-monetary sanctions such as management bans and operational suspensions.” These measures can freeze operations fast.
A later chapter lists corrective orders, mandatory audits, public warnings, and license actions. The report warns that these measures can disrupt business continuity and harm stakeholder trust.
Insurance cannot “undo” a regulatory order. However, some policies may cover the financial impact in certain situations. The report gives examples such as business interruption losses and remedial costs.
Watch Our PODCAST On – Incident Response Communications: Media, Legal, and Trust
Insurability Turns On Local Law And Public Policy
The report makes the central point plainly. “The insurability of cyber fines remains an uncertain and jurisdiction-specific issue.” National law and public policy control the answer.
A key chapter repeats this point, calling insurability “highly jurisdiction-dependent,” with significant legal differences between countries. Insurers often cover response costs and civil fines “to the extent insurable by law.”
In most EU countries and the UK, criminal fines cannot be insured. The report links this to public policy and the goal of deterrence. Courts also closely review payouts when exclusions are involved.
The report also warns about standards for misconduct. Many legal systems prevent payments if the conduct was intentional or grossly negligent. This distinction can determine claim outcomes during a crisis.
Regulators Test Readiness, Not Just Outcomes
The report states that enforcement is now “more assertive.” Regulators are reviewing technical controls, how quickly companies notify authorities, and the strength of their incident response.
That shift matters for evidence. Your logs, playbooks, and decisions become the story. The report frames compliance as a “continuous journey.” It expects standards to rise over time.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Class Actions Add A Second Front
The report highlights the risk of collective redress and class actions after data breaches. It connects this risk to the EU Representative Actions Directive and encourages companies to prepare for investigations and coordinated claims.
One chapter emphasizes the importance of early notification and clear communication. It also recommends legal and insurance strategies to manage class action risk and notes that European companies are facing more class actions in the US.
AI Adds Another Layer Of Cyber Penalty Risk
The report identifies the EU AI Act as a new development. It expects that, for some incidents, penalties under this law may overlap with those from the GDPR.
A section of the report explains that high-risk AI systems must follow “cybersecurity by design” requirements. It also warns that GDPR enforcement can happen alongside these rules after a data breach. Regulators may issue multiple fines, as long as they are proportionate.
Practical Steps Risk Leaders Can Take Now
The report encourages teams to review the language of their policies and any exclusions. It also suggests considering D&O or professional indemnity insurance as additional options. The report recommends seeking legal advice about insurability in specific jurisdictions.
The report also recommends having a claims protocol in place before any incident occurs. Leaders should ensure executives understand coverage limits. It also calls for risk quantification by sector and level of exposure.
For non-monetary sanctions, the report recommends practicing responses. It suggests creating playbooks for audits, interviews, inspections, and document requests. The report also advises including regulatory requirements in vendor contracts.
The general recommendations focus on governance and evidence. The report calls for board accountability and well-tested incident response plans. It also encourages training, vendor management, and thorough documentation.
At this stage, cyber insurance strategy becomes practical. Teams should work with brokers and legal counsel to “optimise” coverage for costs that can be insured.
Related Cyber Liability Insurance Posts
- BOXX Launches Tech E&O With Integrated Cyber Insurance For Tech Firms
- NATO’s Cybersecurity Warning: Maritime Ports at Risk as Digital Threats Escalate
- If You Think Your Secrets Are Safe, Think Again: Even the FBI Can’t Hide
- Ghost Students Exploit Aid as Identity Theft Surges Nationwide – NEW PODCAST
- FAMOUS CHOLLIMA Unmasked: Insights from the 2025 CrowdStrike Report
