As enforcement intensifies, businesses located or operating in the Europe, Middle East and Africa region face an increasing number of cyber-related fines and penalties, while the insurability of these fines remains uncertain and varies by jurisdiction, according to a joint report from global broker Aon and law firm A&O Shearman.
The report highlights that as cyber incidents continue to increase across industries and countries, new regulations aimed at improving cyber resilience are emerging, resulting in additional fines and penalties for companies, executives and board members who fail to ensure compliance.
The regulatory scope of online fines has expanded dramatically. For example, the EU has introduced major frameworks such as DORA (Digital Operations Resilience Act) and the NIS2 Directive (Network and Information Security), while the UK recently released the Cybersecurity and Resilience Bill. As a result of these new rules, enforcement has become more assertive, technical and multi-layered, making the insurability of fines and penalties uncertain.
The report found that many jurisdictions limit or prohibit coverage for criminal or punitive administrative fines on public policy grounds. Many penalties can only be insured to the extent permitted by law, so organizations may be liable for regulatory fines even if they hold cyber insurance.
At the same time, defense, investigation, breach notification, business interruption and remediation costs are covered more consistently, highlighting the growing gap between regulatory risk and insurable protection.
Findings indicate that non-monetary penalties can be just as damaging as fines. These measures may include an order to cease processing, to be audited, to suspend operations or to revoke a license.
In addition, boards and senior management face heightened accountability, and new regulatory regimes have raised expectations for appropriate oversight, investment and risk mitigation preparedness.
Pablo Constenla, head of underwriting and claims for cyber and financials in Aon’s EMEA region, said: “The cyber regulatory landscape is evolving rapidly, with regulators taking a more hands-on approach to enforcement, from testing technical controls to imposing penalties, which may also increase third-party liability. Businesses need to understand how fines and penalties are handled in each jurisdiction and ensure their governance, reporting and compliance frameworks are strong enough to withstand scrutiny.”
David Molony, head of cyber solutions for EMEA at Aon, added: “Cyber risk is about more than just the possibility of an attack or data breach, businesses should also consider the financial and reputational impact of regulatory consequences. Organizations that combine incident response planning with risk oversight and cross-functional coordination are better able to absorb shocks and maintain operational resilience in an increasingly complex environment.”
