NIS2 Underwriting Questions: What Every Cyber Insurance Broker Should Ask

The question “Are you NIS2 compliant?” is no longer useful in a broker conversation. Every in-scope entity will answer yes. What matters is whether they can produce the documentation, demonstrate the testing, and show the governance trail that a competent authority will demand during an audit.

As of early 2026, 21 of 27 EU member states have transposed NIS2 into national law (Source: ECSO NIS2 Transposition Tracker, February 2026). Germany, which took effect December 6, 2025, is actively auditing approximately 29,000 in-scope entities through its BSI federal cybersecurity authority (Source: Greenberg Traurig, December 2025). The extended compliance window closes June 30, 2026 for organizations in member states that used the extended transition period (Source: ECSO NIS2 Transposition Tracker). After that date, the first wave of enforcement actions becomes probable.

For brokers placing cyber coverage on NIS2-exposed clients, this is not background context. It is the underwriting environment. The standard questionnaire captures attestations. NIS2 audit evidence captures operational reality. The gap between those two is where claims develop.

Why Standard Cyber Questionnaires Miss NIS2 Exposure

Standard cyber insurance questionnaires ask if controls exist. MFA is present or absent. Patching is current or behind. The organization self-reports, the broker records, the underwriter prices. This model worked when cyber insurance covered primarily first-party losses and when insureds had reasonable incentive to represent their risk accurately.

NIS2 changes the equation. The directive requires 10 categories of documented technical and organizational measures under Article 21, with specific evidence requirements for each (Source: NIS2 Directive Article 21(2)). A competent authority conducting an audit does not ask “do you have incident response procedures?” The auditor asks “show me the last tabletop exercise, the outcomes document, the remediation log.” These are fundamentally different information requests.

The shift from self-attestation to evidence-based underwriting is already underway in the cyber insurance market. Insurers are demanding screenshots, RMM exports, and proof of tested controls rather than checked boxes (Source: SeedPod Cyber, January 2026). Cyber insurance carriers are tightening underwriting standards and no longer insuring businesses based on good intentions alone (Source: LinkedIn, Cyber Insurers Shift from Self-Attestation, February 2026).

For brokers, the practical consequence is that questionnaire responses from 18 months ago may not reflect current operational reality. Organizations in active NIS2 implementation may have policy documents that are ahead of operational implementation, or worse, may have implemented controls without updating the documentation that auditors will review.

NIS2 Scope: Essential Entities vs Important Entities

NIS2 creates two tiers of regulated entities with different threshold criteria, supervisory intensity, and penalty exposure.

Essential entities meet at least one of three size criteria: 250 or more employees, annual turnover exceeding 50 million euros, or balance sheet total exceeding 43 million euros. Alternatively, they operate in sectors designated as having high criticality regardless of size. These sectors include energy, transport, banking, financial market infrastructure, health, digital infrastructure, public administration, space, and water supply (Source: NIS2 Directive Article 21 and 22, Glocert International).

Essential entities face proactive supervision. Competent authorities can conduct unannounced audits, order technical assessments, and impose operational restrictions. Penalties reach 10 million euros or 2 percent of global annual turnover, whichever is higher. Executive personal liability is explicit in several national implementations, including Germany (Source: Greenberg Traurig, BSI Act Makes Cybersecurity Board-Level Issue).

Important entities meet similar size criteria but with lower thresholds: 50 or more employees, annual turnover exceeding 10 million euros, or balance sheet total exceeding 10 million euros. They operate in sectors designated as important, including postal and courier services, waste management, chemical production, food production, manufacturing of medical devices, and digital providers including social networks, search engines, and online marketplaces (Source: NIS2 Directive Article 23).

Important entities face reactive supervision. Penalties reach 7 million euros or 1.4 percent of global annual turnover, whichever is higher. While the supervisory intensity is lower than essential entities, the penalties remain substantial and enforcement is not theoretical. Both tiers require broker attention because the penalty structure means a single enforcement action can materially affect an organization’s financial position and thus its insurance exposure.

[VISUAL: Decision tree — “Essential or Important Entity?” flowchart]

Line 1 Questions: Governance and Accountability

Line 1 underwriting addresses the governance layer. These questions determine whether NIS2 compliance is treated as a serious risk management discipline or a checkbox exercise.

Board accountability documentation is the starting point. Article 20 requires that management bodies approve cybersecurity measures, oversee their implementation, and receive regular training. The question is not whether the client has a CISO or security officer. The question is whether the board has formally reviewed and approved the risk assessment, security policies, and incident response procedures within the past 12 months.

Request evidence: board minutes showing cybersecurity agenda items, documented board approval of the NIS2 risk assessment, evidence of board-level cybersecurity training attendance. A signed questionnaire is not governance documentation.

Named DPO or security officer with documented responsibility is required under Article 20. Verify that the individual is named in organizational documentation, has documented responsibilities, and has evidence of role-specific training. The question is whether this is a dedicated resource or a collateral duty assigned to someone without bandwidth to execute.

Management body oversight procedures must be documented under Article 20(1). This includes how the management body receives cybersecurity information, how frequently, and in what format. Ask for the most recent quarterly security report provided to the board. Ask who prepared it and what decisions the board made based on it.

Executive personal liability exposure varies by member state but is increasingly real. Germany explicitly includes board liability in its BSI Act implementation (Source: Greenberg Traurig). France, through ANSSI, has signaled similar expectations. Underwriters should document whether executives have sought legal counsel on personal liability exposure and whether D&O coverage has been reviewed in light of NIS2.

[VISUAL: Checklist — Line 1 Governance questions]

Line 2 Questions: Technical and Operational Security Controls

Line 2 addresses the substantive control environment across the 10 Article 21 measure categories. Each category has specific evidence requirements that brokers should probe.

Risk analysis methodology under Article 21(1) requires a documented, formal risk analysis process covering asset inventory, threat assessment, vulnerability analysis, and risk treatment. Ask for the risk analysis methodology document, evidence that it was board-approved, and confirmation that it was updated within the past 12 months. A static document from 2024 that has not been reviewed as threat landscapes evolved is a red flag.

Organizations cite patching as a key challenge. Fifty percent of organizations report patching challenges, and 49 percent cite business continuity as a significant gap (Source: ENISA NIS Investments 2025). Underwriters should probe patching cadences specifically, particularly for organizations with OT environments or legacy systems where patching is operationally difficult.

Incident response procedures must cover prevention, detection, analysis, containment, response, and recovery (Source: Glocert International, NIS2 Article 21 Risk Management Measures Explained). The question is not whether procedures exist. The question is whether they have been tested.

Request the last tabletop exercise or simulated incident document. Ask for the date of the most recent test, the scenario used, the number of participants, and the documented outcomes including lessons learned and remediation actions. Untested procedures are undocumented procedures. The gap between written procedure and operational capability is where incidents become losses.

Asset inventory is a baseline requirement under Article 21. The inventory must be complete, must include network assets, operational technology, and IoT devices, and must be maintained current. Ask for the inventory export, not just confirmation that one exists. Gaps in asset inventory correlate with gaps in security coverage.

Access control requires MFA, privileged access management, and network segmentation. The question is whether MFA is enforced globally or selectively. Ask for evidence of privileged access management implementation, particularly for domain administrators and service accounts. Network segmentation evidence should show that OT environments are segregated from IT environments and that guest networks are isolated from production systems.

Endpoint and network security includes EDR deployment, patching cadence, and network monitoring. Ask for EDR coverage reports showing percentage of endpoints covered, average time to patch critical vulnerabilities, and evidence of 24/7 network monitoring or SOC coverage.

Cryptography controls under Article 21(2)(f) require encryption for data at rest and in transit. Ask for evidence of TLS 1.2 or higher enforcement, encryption of databases and file stores containing sensitive data, and key management procedures.

[VISUAL: Risk matrix — control maturity scoring framework]

Line 3 Questions: Incident Reporting and Regulatory Compliance

Line 3 addresses NIS2’s unique incident notification requirements that create direct regulatory exposure for the insured and thus for the coverage.

24-hour early warning capability is the most demanding requirement. Article 23 requires organizations to notify their competent authority or CSIRT within 24 hours of becoming aware of a significant incident. This is not a bureaucratic reporting timeline. It is an operational capability requirement.

Ask the client to name the specific individual who would make this notification, provide their contact details for the relevant competent authority, and describe the procedure they would follow. If the answer involves finding a procedure document during an incident rather than activating a pre-established chain, the 24-hour deadline is at risk. Organizations that have tested this procedure can demonstrate evidence. Those that have not are making an assumption.

72-hour notification to competent authority requires an initial assessment of the incident, including its nature, scope, and impact. This requires documented incident analysis capability within the first 24 to 48 hours. Ask for the template or format the client uses for this notification. If one does not exist, the organization is not prepared for this requirement.

CSIRT registration and engagement varies by member state. Some competent authorities require pre-registration of incident contact points. Others require ongoing engagement with sector-specific CSIRTs. Verify that the client has completed any required registration and understands which CSIRT covers their sector in their jurisdiction.

Post-incident review procedures must be documented under Article 21 for incident handling capabilities. After a significant incident, organizations must conduct a root cause analysis and implement remediation. Ask for evidence of any post-incident reviews from previous incidents, regardless of whether they met the NIS2 notification threshold.

Documentation for competent authority requests should be proactively maintained. Organizations subject to audit should maintain organized records of all cybersecurity measures, testing results, incident records, and regulatory correspondence. Ask whether the client has a dedicated regulatory file for NIS2 compliance documentation.

[VISUAL: Timeline — 24hr/72hr/1-month notification windows]

Supply Chain Security: The Question Most Brokers Skip

Supply chain security is the most frequently underdeveloped area of NIS2 compliance and the area where broker questions create the most differentiation in risk assessment.

Article 21(2)(d) requires organizations to assess the security posture of critical suppliers, include security requirements in vendor contracts, and manage risks from subprocessors. Thirty-seven percent of organizations cite supply chain risk as a key challenge (Source: ENISA NIS Investments 2025).

The Ingram Micro ransomware attack in July 2025 illustrates the scale of exposure. Ingram Micro, a $48 billion technology distributor, disclosed a ransomware attack that impacted data belonging to more than 42,000 individuals (Source: CRN, January 2026). Projected losses reached $103 million to $120 million per day during the disruption period (Source: LinkedIn, John Bruggeman analysis). The attack originated through a supply chain vector and affected the company’s ability to serve its reseller network globally.

ICT third-party provider inventory must be complete. Ask for the list of critical ICT service providers, including managed service providers, cloud providers, and software vendors with access to the organization’s network or data. The list should include subprocessors for managed service providers.

Critical supplier due diligence procedures should include security assessment questionnaires, third-party security certifications where applicable, and documented risk rankings. A vendor questionnaire is not a due diligence program. Evidence of a systematic assessment process is.

Security requirements in vendor contracts should include data protection obligations, incident notification requirements, and audit rights for critical vendors. Ask to see the standard security addendum used in vendor contracts. If the client’s standard contracts do not include these provisions, supply chain risk is contractually unmitigated.

MSP subprocessor transparency deserves specific attention. Organizations that rely on MSPs for IT management, security monitoring, or cloud infrastructure are exposed to subprocessor risk that they often cannot see. Ask the client to provide their MSP’s subprocessor list and describe the contractual protections governing subprocessor use.

Alternative provider arrangements for critical services should be documented. A single point of failure in a critical supply chain creates unmitigated exposure. Ask what happens to the client’s operations if their primary MSP, cloud provider, or connectivity provider experiences an extended outage.

[VISUAL: Supply chain dependency diagram]

What Good Answers Look Like: Compliance Maturity Indicators

Evaluating client responses requires distinguishing between attestation and evidence. The maturity indicators below separate prepared risks from checkbox compliers.

Green flags include board-reviewed and approved risk assessments with evidence of annual review, documented tabletop exercises or simulated incidents within the past 12 months with outcomes and remediation tracked, completed supply chain security assessments for all critical vendors with documented risk rankings, and confirmed registration with the relevant competent authority with no outstanding enforcement correspondence.

Organizations with green flag indicators treat NIS2 as a risk management discipline. Their board engagement is documented, their technical controls have evidence trails, and their incident response procedures have been validated through testing. These are the clients where coverage can be structured with broader terms and lower retention.

Red flags include questionnaire-only evidence with no supporting documentation, no board-level governance documentation or evidence of management body engagement, incident response procedures that exist as documents but have never been tested, no visibility into MSP subprocessor chains, and incomplete asset inventory or reliance on sampling rather than comprehensive coverage.

Red flag indicators suggest that the organization’s NIS2 compliance is performative rather than operational. The risk is not necessarily uninsurable, but the coverage structure must reflect the actual risk exposure. Higher deductibles, specific exclusions for known gaps, and coinsurance provisions may be appropriate.

Pricing Implications: How NIS2 Compliance Posture Affects Coverage Terms

Compliance maturity has direct implications for coverage placement that brokers should structure into their placement recommendations.

Well-prepared risks with green flag indicators across governance, technical controls, and incident response can support broader coverage terms. The probability of a significant incident occurring despite documented controls is lower. The probability of regulatory enforcement action is lower. The coverage structure can reflect this through broader wording, lower deductibles, and sublimits appropriate to the actual risk profile.

Transition risks represent the largest segment of the current market. These are organizations that have made genuine progress on NIS2 compliance but have gaps, particularly in supply chain security and incident response testing. For these risks, specific exclusions for known gaps with a path to coverage upon remediation may be appropriate. Coinsurance provisions can align incentives for continued remediation. Higher deductibles reflect residual uncertainty.

Non-compliant risks face either declination or materially higher pricing that reflects the probability of enforcement action, the magnitude of potential penalties, and the likelihood of security degradation as organizations divert resources to catch up under enforcement pressure. Underwriters should be explicit with clients about why pricing has adjusted and what remediation steps would support better terms at renewal.

Coverage recommendations should be structured around the questionnaire response patterns. A client that cannot demonstrate board governance documentation should not receive the same terms as one that can. A client with untested incident response procedures should have coverage terms that reflect the uncertainty. The coverage structure should incentivize remediation where the insured has the ability to improve their risk profile.

Use Resiliently’s free NIS2 Entity Classifier to determine whether your client falls within NIS2 scope. Download the complete NIS2 Underwriter’s Guide for the full question set with scoring guidance and coverage recommendation templates.