NIS2 and DORA: What Cyber Underwriters Need to Know
![[object Object]](/_astro/1.Di8cYxtt_hefhy.webp)
A practical breakdown of how the NIS2 Directive and DORA regulation affect cyber insurance underwriting in Europe.
The European regulatory landscape for cybersecurity is shifting fast. Two frameworks — NIS2 and DORA — are reshaping how organizations approach cyber resilience, and that has direct implications for how we underwrite cyber risk.
What Changed with NIS2
The NIS2 Directive expanded scope significantly compared to its predecessor. More sectors, stricter requirements, and real enforcement teeth. For underwriters, this means the questions we ask during risk assessments need to evolve.
DORA and Financial Services
The Digital Operational Resilience Act targets financial entities specifically. It mandates ICT risk management frameworks, incident reporting, and third-party risk oversight. If you’re underwriting financial institutions in Europe, DORA compliance is now a baseline expectation.
What This Means for Underwriting
These regulations create both risk and opportunity. Organizations that invest in compliance tend to have stronger security postures. But the transition period — where companies are still catching up — is where the exposure sits.
The key is asking the right questions during risk assessments and understanding where regulatory gaps translate to actual cyber risk.
