Critical Infrastructure Underwriting Under NIS2: Healthcare, Energy, and Transport in 2026

Critical infrastructure is where NIS2 bites hardest. The directive designates healthcare, energy, and transport as “essential” sectors — the highest regulatory tier with the strictest obligations and the most severe penalties. For cyber insurance underwriters, these sectors represent both the largest market opportunity and the highest aggregate risk. A single successful attack on a hospital network can disable emergency services. A ransomware incident at an energy operator can disrupt power to millions. A compromise of transport systems can halt commerce across borders.

NIS2 raises the compliance bar for all three sectors, and enforcement is accelerating. National regulators across the EU are conducting assessments, issuing guidance, and preparing to impose penalties for non-compliance. For underwriters, understanding the sector-specific requirements under NIS2 is no longer optional — it is essential for accurate risk selection, pricing, and policy wording.

This guide provides a sector-by-sector breakdown of NIS2 requirements for healthcare, energy, and transport, with specific underwriting considerations, claim trend analysis, and a practical questionnaire for assessing critical infrastructure clients.

Why Critical Infrastructure Is the Highest-Risk Category

Under NIS2, critical infrastructure entities face:

1. The highest penalties — up to €10 million or 2% of global annual turnover, plus personal liability for management (Article 20)
2. The most stringent requirements — comprehensive cybersecurity risk management under Article 21 with 10 specific security measures
3. Proactive supervision — essential entities are subject to proactive inspections by competent authorities, not just reactive enforcement
4. The fastest incident reporting — 24-hour early warning for significant incidents, with formal reporting at 72 hours and final reports at one month
5. Supply chain obligations — security measures must cover suppliers and service providers, creating cascading compliance requirements

The convergence of high regulatory stakes, systemic interconnection, and attractive targets for threat actors makes critical infrastructure the most challenging — and most important — category for cyber underwriting in 2026.

Sector 1: Healthcare

NIS2 Classification and Scope

Healthcare is classified as an essential sector under NIS2 Annex I. Entities in scope include:

• Hospitals and clinics — public and private, above the size threshold (250+ employees or €50M turnover for essential classification)
• Laboratories — clinical and research laboratories handling sensitive health data
• Medical device manufacturers — when above size thresholds (note: also subject to the Cyber Resilience Act for product security)
• Health insurance providers — may also be subject to DORA if they offer financial services
• E-health service providers — electronic health records, telemedicine platforms, health data exchanges

NIS2-Specific Requirements for Healthcare

Healthcare entities must implement all 10 Article 21(2) security measures, but several have particular resonance:

Incident handling (Article 21(2)(b)): Healthcare incidents can have immediate patient safety implications. A ransomware attack that disables hospital IT systems doesn’t just cost money — it can cost lives. NIS2 requires incident response procedures that account for clinical continuity.

Supply chain security (Article 21(2)(d)): Hospitals depend on medical device manufacturers, pharmaceutical suppliers, IT service providers, and cloud-based EHR vendors. Each represents a potential attack vector and must be covered by the entity’s cybersecurity risk management.

Business continuity (Article 21(2)(e)): Healthcare business continuity plans must address clinical operations, not just IT recovery. This includes fallback procedures for medical devices, manual processes for medication administration, and communication protocols for clinical staff.

Crisis communication (Article 21(2)(f)): When a hospital suffers a cyber incident, communication must extend beyond regulators to patients, staff, media, and potentially government health authorities.

Healthcare Cyber Insurance Considerations

Claim trends (2024-2026):

• Healthcare ransomware payments average €350,000 — among the highest across all sectors
• Business interruption losses in healthcare are 40% higher than cross-sector average due to clinical continuity requirements
• Regulatory notification costs have increased 60% since NIS2 enforcement began
• Data breach costs in healthcare average €180 per record — the highest of any sector for the 14th consecutive year

Underwriting risk factors:

• Medical device security: Legacy medical devices running unsupported operating systems create unpatchable vulnerabilities
• Interconnection risk: Hospital networks connecting clinical devices, EHR systems, research networks, and guest Wi-Fi create flat attack surfaces
• Regulatory exposure: Dual compliance with NIS2 and healthcare data protection regulations (GDPR, patient data laws) multiplies notification obligations
• Systemic risk: Shared IT service providers (EHR vendors, cloud providers) create concentration risk across healthcare portfolios

Coverage considerations:

• Business interruption waiting periods may need to be shorter for healthcare than other sectors
• Regulatory defense costs should account for multi-regulator investigations (NIS2 competent authority + data protection authority + health regulator)
• Consider sublimits for bio-hazard data exposure (genetic data, research data) which may fall outside standard cyber policy definitions

Sector 2: Energy

NIS2 Classification and Scope

Energy is the first sector listed in NIS2 Annex I, reflecting its systemic importance. Entities in scope include:

• Electricity operators — generation, transmission, distribution, and aggregation
• Natural gas operators — transmission, distribution, storage, and LNG facilities
• Hydrogen operators — emerging sector with growing regulatory attention
• Oil operators — production, refining, storage, and transportation (above size thresholds)
• District heating providers — where above size thresholds
• Renewable energy operators — wind farms, solar installations, and energy storage facilities above thresholds

NIS2-Specific Requirements for Energy

Energy sector entities face unique NIS2 challenges:

Network and information system security (Article 21(2)(a)): Energy operators manage operational technology (OT) networks that control physical infrastructure — power grids, pipelines, substations. These OT environments often run legacy protocols with limited security capabilities. NIS2 compliance requires bridging the gap between IT security standards and OT reality.

Supply chain security (Article 21(2)(d)): The energy supply chain is extraordinarily complex, encompassing equipment manufacturers, maintenance contractors, grid operators, energy traders, and government agencies. Each relationship introduces potential attack vectors.

Business continuity (Article 21(2)(e)): Energy business continuity has cascading societal impact. A blackout affecting 100,000 homes isn’t just a commercial loss — it’s a national emergency. NIS2 requires business continuity plans that account for this systemic role.

Cryptography (Article 21(2)(g)): Many energy OT protocols were designed before modern encryption was practical. Implementing cryptographic controls across legacy SCADA systems, smart meters, and grid management platforms requires careful engineering.

Energy Cyber Insurance Considerations

Claim trends (2024-2026):

• Energy sector cyber incidents increased 35% year-over-year, driven by geopolitical targeting
• Average ransomware payment in energy: €1.2 million (highest of all sectors)
• OT-specific incidents (affecting industrial control systems) increased 50% and are significantly more expensive to remediate than IT-only incidents
• Regulatory investigation costs in energy average €400,000 per incident due to multi-authority involvement

Underwriting risk factors:

• OT/IT convergence: Energy operators increasingly connect OT networks to IT systems for remote monitoring and management, expanding the attack surface
• Legacy infrastructure: Many grid control systems were deployed decades ago and cannot be easily patched or replaced
• Geopolitical targeting: Energy infrastructure is a primary target for state-sponsored actors, particularly during periods of geopolitical tension
• Systemic accumulation: A single attack on a grid operator could generate losses across the entire energy insurance portfolio

Coverage considerations:

• Property damage from cyber events is a critical coverage question — a cyber attack on a pipeline or substation could cause physical destruction
• Bodily injury exclusions need careful drafting — energy incidents can cause injuries and deaths
• Consider mandatory security standards as policy conditions, including OT-specific security frameworks (IEC 62443)
• Aggregate exposure management is essential — energy portfolios can accumulate systemic risk rapidly

Sector 3: Transport

NIS2 Classification and Scope

Transport is another essential sector with broad scope:

• Air transport — airports, airlines, air traffic management
• Rail transport — railway operators, infrastructure managers, station operators
• Maritime transport — port operators, shipping companies, vessel traffic management
• Road transport — intelligent transport systems, toll operators, traffic management authorities
• Inland waterways — vessel operators and infrastructure managers

NIS2-Specific Requirements for Transport

Incident handling (Article 21(2)(b)): Transport incidents have immediate safety implications. A cyber attack on air traffic management or railway signaling could cause collisions. Incident response must be integrated with safety management systems.

Supply chain security (Article 21(2)(d)): Transport operators depend on a vast ecosystem — ticketing platforms, baggage handling systems, fuel suppliers, maintenance contractors, navigation systems. Each creates dependencies that must be managed.

Training and awareness (Article 21(2)(i)): Transport sector employees — from air traffic controllers to train drivers — need cybersecurity awareness that is specific to their operational environment. Generic phishing training is insufficient when the threat is a compromised signaling system.

Multi-modal coordination: Many transport entities operate across modes (e.g., a logistics company using road, rail, and maritime). NIS2 requirements apply across all operational modes, creating complex compliance landscapes.

Transport Cyber Insurance Considerations

Claim trends (2024-2026):

• Transport sector ransomware incidents increased 28% year-over-year
• Average business interruption loss in transport: €2.1 million (extended duration due to operational complexity)
• Regulatory costs increased 45% as transport authorities begin NIS2 enforcement
• Third-party liability claims from transport cyber incidents are growing — passenger and cargo liability

Underwriting risk factors:

• Safety-critical systems: Transport involves systems where failure can cause mass casualties, creating catastrophic exposure
• Real-time operations: Transport operates in real-time — there is no “pause” button, making incident response extremely challenging
• Public-facing exposure: Airports, rail stations, and ports are public infrastructure with high visibility — incidents generate immediate media attention and political pressure
• Cross-border complexity: International transport operators face multiple national transpositions of NIS2 simultaneously

Coverage considerations:

• Passenger and third-party liability limits need to reflect catastrophic exposure potential
• Business interruption calculations should account for the extended recovery times typical in transport operations
• Consider mandatory IEC 62443 compliance for OT environments as a policy condition
• War and terrorism exclusions need careful review — state-sponsored attacks on transport could trigger disputes

Underwriting Questionnaire for Critical Infrastructure

Use this structured questionnaire when assessing any critical infrastructure client under NIS2:

Regulatory Classification

1. Is the entity classified as essential or important under NIS2? (Use our NIS2 Entity Checker to verify)
2. Which national competent authority oversees the entity?
3. Has the entity been subject to any proactive NIS2 inspections?

Governance

4. Has the board approved cybersecurity risk management measures per Article 20?
5. Has management completed cybersecurity training per Article 20(1)?
6. Is there a named individual accountable for NIS2 compliance?
7. Does the entity have a formal cybersecurity policy that covers both IT and OT environments?

Technical Measures

8. Has the entity implemented all 10 Article 21(2) security measures?
9. For energy/transport: Is there a separate OT security program aligned with IEC 62443?
10. For healthcare: How are legacy medical devices secured on the network?
11. What is the entity’s patch management process for critical infrastructure systems?
12. How is network segmentation implemented between IT, OT, and IoT environments?

Incident Response

13. Can the entity meet the 24-hour early warning reporting deadline?
14. Has the entity tested its incident response plan in the past 12 months?
15. Does the incident response plan include operational continuity procedures (clinical operations for healthcare, grid management for energy, safety systems for transport)?
16. What is the entity’s ransomware response policy — does it include a decision framework for payment?

Supply Chain

17. How many critical ICT third-party providers does the entity depend on?
18. Does the entity maintain a register of ICT dependencies?
19. What security requirements are contractually imposed on critical suppliers?
20. Has the entity experienced a supply chain cyber incident in the past 24 months?

Business Continuity

21. What is the tested recovery time objective (RTO) for critical operational systems?
22. When was the last full business continuity exercise including cyber scenarios?
23. Does the entity have manual fallback procedures for safety-critical operations?
24. What is the maximum tolerable downtime for each critical system?

Pricing Implications

Critical infrastructure entities under NIS2 should expect cyber insurance pricing that reflects:

• Higher limits — essential entity penalties can reach €10M, requiring adequate regulatory defense and penalty sublimits
• OT-specific coverage — policies must cover operational technology environments, not just traditional IT
• Extended BI periods — critical infrastructure recovery takes longer due to safety validation requirements
• Regulatory compliance conditions — underwriters may require evidence of NIS2 gap assessments and remediation plans as policy conditions
• Catastrophic exposure loadings — energy and transport sectors carry systemic and catastrophic risk that requires portfolio-level management

Use our Cyber Risk Calculator to estimate the potential financial impact of regulatory penalties and incident costs for your critical infrastructure clients.

The Bottom Line

Critical infrastructure under NIS2 is where cyber insurance meets public safety. The three sectors covered here — healthcare, energy, and transport — are not just commercially important. They are the backbone of modern society, and NIS2 recognizes this by imposing the strictest requirements and the most severe penalties.

For underwriters, the message is clear: traditional cyber insurance assessment approaches are insufficient for critical infrastructure. You need sector-specific expertise, OT security knowledge, and an understanding of how NIS2 requirements translate into real-world risk management obligations.

The entities that will weather this regulatory transformation best are those that invest early in compliance, build integrated IT/OT security programs, and maintain tested incident response and business continuity capabilities. These are the risks worth writing.

Download our free NIS2 compliance checklist to start assessing your critical infrastructure clients today. For deeper analysis, explore our premium reports including the NIS2 Implementation Guide for Insurers.

FAQ

Are all hospitals subject to NIS2? Not all hospitals. Only those that meet the size threshold for essential entities (250+ employees OR €50M turnover) or important entities (50+ employees OR €10M turnover) in Member States that have transposed NIS2. However, many EU Member States have chosen to apply NIS2 requirements to all healthcare providers regardless of size, so the practical scope is broader than the directive text suggests.

Does NIS2 apply to renewable energy companies? Yes. Wind farms, solar installations, energy storage facilities, and other renewable energy operators are explicitly included in the energy sector under NIS2 Annex I. If they meet the size threshold, they are classified as essential entities. This is a significant expansion from NIS1, which many renewable operators were not subject to.

What is the biggest cyber risk for transport companies under NIS2? The biggest risk is the intersection of safety-critical systems and cyber vulnerability. Transport systems increasingly rely on digital control (signaling, traffic management, navigation), and a cyber compromise could have immediate safety consequences. The combination of high operational complexity, legacy systems, and real-time operational requirements makes transport uniquely challenging from a cyber risk perspective.

How does NIS2 affect cyber insurance premiums for critical infrastructure? Premiums for critical infrastructure entities have increased 15-25% since NIS2 enforcement began, reflecting both the expanded regulatory exposure and the systemic risk profile. However, entities that can demonstrate strong NIS2 compliance — including gap assessments, tested incident response, and OT security programs — may qualify for more favorable terms. Use our NIS2 compliance cost guide to estimate compliance investment needs.

Can management be personally fined under NIS2 for critical infrastructure failures? Yes. Article 20 of NIS2 makes management bodies personally liable for cybersecurity failures at essential entities. For critical infrastructure — healthcare, energy, and transport — this means individual board members and executives can face personal financial penalties and temporary bans from management positions. Our NIS2 board liability guide covers this in detail.