The Impact of the EU’s NIS2 and DORA on the Cyber Insurance Market
In his 2017 book The Square and the Tower, the historian Niall Ferguson says, a “realistic goal [to prevent network outage] is not to deter attacks or retaliate against them but to regulate all the various networks on which our society depends that they are resilient.” Better still, he says, we should aim to make such networks “anti-fragile,” referencing the term coined by Nassim Taleb (most well-known for his “black swan” theory).1
The speed of digitalisation and an ever-evolving cyber risk landscape has, however, made achieving adequate regulation and resilience seem unrealistic. AI is a trending case in point, with much news coverage being given to the rapid adoption of tools such as Chat GPT, and the subsequent scramble as governments and regulators try to keep pace with the technology.
The introduction of both NIS2 (the EU’s reincarnation of NIS1 – the original ‘Network and Information Systems Directive’) and DORA (‘The Digital Operational Resilience Act’, which is specific to financial institutions) are significant legislative changes that may realistically help achieve the end goal of resilience. Both NIS2 and DORA aim to collectively improve the cyber security and digital operational resilience of in-scope businesses, and both come into force at broadly the same time (Q4 2024, Q1 2025).
Cyber security standards are not new to the cyber insurance market. Many will be familiar with National Institute of Standards and Technology’s ‘Cybersecurity Framework’ as well as the ISO/IEC 27001 which insureds “align with” or “benchmark against.” The difference with NIS2 and DORA however is that these are not just a set of voluntary guidelines, recommendations, or good practices; they are legislative and, notwithstanding Brexit, may influence change well beyond its jurisdiction.
For the cyber insurance market, if NIS2 and DORA’s aims are achieved, the collective level of cyber security resilience should be higher than they are today; and, as such, cyber risk for those businesses should be reduced. It is worth mentioning that NIS2 was reincarnated several years after NIS1 came into force, clearly emphasising how challenging it is to keep up with cyber threat actors. NIS2 and DORA requires compliance by October 2024 and January 2025 respectively, by that time the goal posts may have changed again. In some ways, many businesses need to go above and beyond such regulation to adequately protect themselves and work towards “anti-fragility”.
The transfer of cyber risk to the insurance market will therefore continue to be an increasingly vital part of businesses and the networks within which they operate “withstand the ravages of Cyberia,” as Niall Ferguson says. As we navigate our way through an increasingly fragile political and economic environment, this may be more important than ever.