Insurance EuropeInsurance Europe
Network and Information Security Directive should not be extended to include insurance industry

Insurance Europe has today published its response to a consultation by the European Commission on its review of the Network and Information Security (NIS) Directive.

While Europe’s insurers welcome the Commission’s ambitions to increase the cyber security of sectors critical to the economy, the scope of the NIS Directive should not be extended to include the insurance industry, as to do so would introduce duplicate requirements.

At national level, the industry’s cyber resilience is already supported by many well-established systems and initiatives led by both government and the industry. These initiatives facilitate, for example, the sharing of incident information and best practises, among other things.

At European level, the industry is already subject to a number of requirements relating to management of ICT risk under the Solvency II framework. It is also preparing for financial sector-specific legislation in the form of the Commission’s Digital Operational Resilience Act (DORA), as well as insurance sector-specific supervisory guidelines from the European Insurance and Occupational Pensions Authority (EIOPA), focused on ICT and cyber resilience. To avoid duplication and regulatory overload, rules governing insurers’ cyber resilience should not be divided into many separate pieces of legislation or supervisory guidelines. Rather, they should be governed only by the forthcoming DORA, complementing the many existing national initiatives.

Published 5 October 2020