Insurance Europe calls for assurances that re/insurers will be exempt from the EU’s NIS2 Directive
Insurance Europe has welcomed the European Commission’s proposal for a revised Network and Information Security (NIS2) Directive to enhance the cyber resilience of the European Union.
In particular, Insurance Europe said it supported the decision to leave insurance companies outside the scope of the proposed NIS2 Directive. Insurance companies will be subject to the Digital Operational Resilience Act (DORA), it noted, which will introduce requirements for insurance companies to demonstrate robust cyber risk management, incident-reporting, stress-testing and third-party arrangements.
“A single set of cybersecurity rules offers more effective governance than many separate rules,” Insurance Europe noted.
The trade association said absolute clarity is needed around the legal references applicable to insurance companies, to allow carriers to plan and implement a phased process of adaptation to new guidelines and to the DORA. To this end, it is important that insurers are given assurances that they will remain outside the scope of NIS2, not just now but in the future.
Specifically, Insurance Europe proposed modifying the NIS2 text to remove a reference to equivalence that it said could lead to “uncertainty and many open questions.” This clause is unnecessary, Insurance Europe argued, given the requirements under DORA are already “more detailed and more extensive than those found under the NIS Directive.”
It also called for the minimum harmonisation clause in article three of NIS2 to be clarified to make it clear that the cybersecurity of European insurers will only be harmonised at the level of the DORA. “This will provide the necessary legal certainty to insurers by ensuring that member states do not add additional sectors, subsectors or types of entities to Annexes I and II,” it said.
Insurance Europe also called for Europe’s regulatory authorities and re/insurance companies to do more to improve data sharing, to ensure stakeholders have access to accurate cyber-incident data. “The data that is publicly available at EU level is currently very limited,” it warned.
“The NIS2 proposal offers an opportunity to foster greater transparency about cyber-related incidents by making anonymised incident data available for use by the cyber re/insurance underwriting community, thus contributing to increasing the overall cyber resilience of the EU,” it added.
Insurance Europe also highlighted significant differences between how countries report cyber incidents, and welcomed references in the NIS2 proposal to the possible role of ENISA in issuing technical guidance. This would be a necessary first step towards more harmonisation of cyber reporting in the EU, it said.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
Already registered?
Login to your account
If you don't have a login or your access has expired, you will need to purchase a subscription to gain access to this article, including all our online content.
For more information on individual annual subscriptions for full paid access and corporate subscription options please contact us.
To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.
For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk
Editor's picks
Editor's picks
More articles
Copyright © intelligentinsurer.com 2024 | Headless Content Management with Blaze