Insurance Europe has published its position on the review of the Security of Network and Information Systems (NIS2) Directive.
The Directive’s minimum harmonisation principle has resulted in a fragmented landscape for Europe’s insurers. In practice, this means that firms in three member states have been identified as operators of essential services and, as a result, some of them have been subjected to burdensome and costly requirements.
The financial sector-specific Digital Operational Resilience Act (DORA), which was proposed by the European Commission in September 2020, is an opportunity to address this. Concretely, cybersecurity rules for insurers should be only covered by the DORA. To achieve this, it is important to refine some aspects of the NIS2 Directive, as well as the relationship between it and the DORA. This will ensure legal certainty, while enabling insurers to contribute to enhancing the insurance sector’s cyber resilience.
Beyond their own cyber security, insurers, as providers of cyber insurance products, have a key role to play in increasing the cyber resilience of the EU. Access to cyber incident data reported under the NIS2 Directive would greatly help insurers provide cyber security solutions. Insurers are also calling for increased harmonisation of reporting information between countries under the NIS2 Directive, so as to promote a uniform and common understanding of cyber threats and incidents across the EU.