The Directive's minimum harmonization principle has resulted in a fragmented landscape for Europe's insurers. In practice, this means that firms in three member states have been identified as operators of essential services and, as a result, some of them have been subjected to burdensome and costly requirements.
The financial sector-specific Digital Operational Resilience Act (DORA), which was proposed by the European Commission in September 2020, presents an opportunity to address this. Concretely, cybersecurity rules for insurers should only be covered by the DORA. To achieve this, it is important to refine some aspects of the NIS2 Directive, as well as the relationship between it and the DORA. This will ensure legal certainty, while enabling insurers to contribute towards enhancing the insurance sector's cyber resilience.
Beyond their own cyber security, insurers, as providers of cyber insurance products, have a key role to play in increasing the cyber resilience of Europe. Access to cyber incident data reported under the NIS2 Directive would greatly help insurers provide cyber security solutions. Insurers are also calling for an increased harmonization of reporting information between countries under the NIS2 Directive, so as to promote a uniform and common understanding of cyber threats and incidents across Europe.