NIS2 Compliance Is Now an Underwriting Requirement — Every Broker's Duty of Care

The Clock Ran Out. Now What?

The EU NIS2 Directive required all member states to transpose its provisions into national law by October 17, 2024. That deadline is now 18 months in the past.

Yet according to recent European Commission assessments, fewer than 10% of critical and important entities are fully compliant with the directive’s requirements. The gap between regulation and reality is wider than most brokers realize — and it has direct implications for every cyber insurance submission you handle.

What NIS2 Actually Requires

NIS2 applies to approximately 180,000 entities across the EU, classified into two tiers:

• Critical entities (energy, transport, banking, health, digital infrastructure): must implement strict incident reporting (24-hour notification), supply chain security, multi-factor authentication, encryption, and regular security audits
• Important entities (postal services, waste management, food, chemicals, manufacturing): similar but reduced reporting frequency

The penalty for non-compliance? Up to €10 million or 2% of global annual turnover — whichever is higher. Individual liability for executives is explicitly included.

Why This Matters to Every Broker

Here’s where the insurance market intersects with regulatory reality:

1. Carriers are adding NIS2 compliance questions to submission forms. Major Lloyd’s syndicates and continental European carriers now routinely ask: “Is the applicant NIS2-compliant?” A “no” or “unknown” answer triggers enhanced due diligence or outright decline.

2. Non-compliance creates a claims-denial vector. If an entity suffers a breach that a properly implemented NIS2 framework would have prevented, the carrier has a stronger argument for exclusion — particularly if the policy includes a warranty about regulatory compliance.

3. Broker E&O exposure is real. A broker who submits an application without verifying NIS2 status — and the carrier later denies a claim citing non-compliance — faces professional indemnity exposure. “I didn’t know” is not a defense when the regulation has been in force for 18 months.

The Numbers

• <10% of entities fully compliant with NIS2
• ~32% have initiated compliance programs but are not complete
• ~58% have taken little or no action
• €10M maximum penalty for non-compliance
• 180,000+ entities in scope across EU member states

Source: European Commission NIS2 Implementation Monitoring, Q1 2026

What Brokers Should Do Today

1. Verify Every Client’s NIS2 Status

Before submitting any cyber insurance application for an EU-based entity, confirm their NIS2 classification and compliance level. Document it in the submission file. This single step significantly reduces your E&O exposure.

2. Use the Free NIS2 Compliance Checker

The NIS2 Compliance Checker at Resiliently provides a quick compliance assessment based on entity type, sector, size, and security controls. Results include a compliance score, gap analysis, and prioritized remediation steps — all in under 5 minutes.

This tool was built specifically for the insurance workflow: it produces output that carriers accept as preliminary evidence of due diligence.

3. Reference Country-Specific Transpositions

NIS2 implementation varies by member state. Germany’s BSI has taken the strictest approach, while other states have been slower. Our NIS2 Country Guides cover all 27 member states with specific transposition details, enforcement bodies, and penalty structures.

4. Build Compliance Into Your Submission Process

The most efficient brokers now include NIS2 verification as a standard step in their submission workflow, alongside the Instant Broker Scorecard (IBS) which produces underwriter-ready risk assessments in seconds.

The Regulatory Trend Is Clear

NIS2 is not a one-off regulation. It’s the foundation for an expanding EU cyber regulatory framework that includes:

• DORA (Digital Operational Resilience Act) — applies to financial entities
• CRA (Cyber Resilience Act) — applies to connected hardware and software products
• eIDAS 2.0 — digital identity and trust services

The direction of travel is unambiguous: regulatory compliance and cyber insurability are converging. Brokers who embed compliance verification into their workflow gain a competitive advantage — and protect themselves from E&O claims.

Getting Started

The Resiliently NIS2 Compliance Checker is free to use with 5 runs per month, and unlimited under the Pro plan (€49/month). No LLM dependency — rule-based, auditable, insurance-ready.

Check Your Client’s NIS2 Status →

Disclaimer: This article is for informational purposes only and does not constitute legal or insurance advice. Brokers should consult qualified legal counsel for specific compliance obligations.