Whitepaper on the NIS2 Law

Cyber Insurance and Compliance: What SMEs Really Need to Fulfill Today

The Most Important Key Takeaways at a Glance:
- No blank check: A cyber insurance policy only covers you if the contractually agreed IT minimum standards were verifiably active at the exact moment of the attack.
- MFA and backups are mandatory: Without comprehensive multi-factor authentication and ransomware-proof backups (immutable storage), most insurers will reject applications immediately.
- NIS2 as the new benchmark: Since the full entry into force of NIS2, insurers have increasingly been using statutory requirements as a standard checklist for general insurability.
- Risk of performance refusal: Incorrect or glossed-over information in the questionnaire constitutes a breach of obligations. In the event of a claim, drastic reductions or even the complete loss of insurance coverage threaten – depending on the severity of the fault.
Cyber Insurance Only in Exchange for Something: What Do SMEs Have to Fulfill to Even Be Insurable Anymore?
The days when a cyber insurance policy could pass as a digital blank check are over. In light of exploding damages and stricter regulations like NIS2, the following applies today: A policy does not replace IT compliance; it mandatorily requires it. Anyone who cannot seamlessly prove fundamental minimum standards, such as multi-factor authentication (MFA) or ransomware-proof backups, will come away empty-handed – or risks their entire insurance coverage in an emergency.
This article shows you which hurdles SMEs must overcome now, where the pitfalls in documentation lie, and how to optimally prepare your company for the insurers' audit check.
Table of Contents:
Why Compliance is Mandatory for Cyber Insurance
Cyber insurance is not a blank check for negligence in IT security. The times when policies could be concluded by simply filling out a three-liner are definitively over. Today, insurers vehemently demand that risks be minimized internally and compliance requirements be seamlessly implemented before a contract can even be established.
The principle behind it is simple: The better a company manages its IT risks, the lower the risk of damage for the insurer. Small and medium-sized enterprises (SMEs) in particular, which often do not have dedicated internal IT security resources, face the challenge of proving their cybersecurity in a systematic, transparent, and documented manner. The urgency of the situation is underscored by data from the German Insurance Association (GDV), which shows that around 80 percent of all cyberattacks now target small and medium-sized enterprises (SMEs)—which is why insurers are significantly tightening their prevention requirements.
Why market requirements are rising drastically:
- Significantly professionalized ransomware attacks and more complex attack vectors.
- Drastically increased claim amounts due to business interruptions and extortion payments.
- The final implementation of the European NIS2 Directive, which reorganizes liability issues.
- The legitimate desire of insurers to keep the risk in their portfolios mathematically calculable.
Whitepaper on the NIS2 Law
Typical Minimum Prerequisites for Insurance Coverage
To even receive an offer from a cyber insurer or to renew an existing policy, SMEs must prove defined minimum standards. These serve as a technical protective wall against avoidable security gaps.
Indispensable standards include:
- Comprehensive Multi-Factor Authentication (MFA): Mandatory for all administrative accounts, remote access (VPN), and critical cloud systems.
- Ransomware-proof backups: Regular data backups protected against encryption using the "air-gapped" principle (offline) or stored on unalterable storage media (immutable storage).
- Documented Incident Response Plan: A clear emergency plan describing the exact behavior and reporting cascades during a cyber incident.
- Regular employee training: Verifiable awareness measures (e.g., phishing simulations) for the entire workforce.
The Role of NIS2 and ISO 27001 in Insurability
The European cybersecurity directive NIS2 has permanently changed the foundation of IT compliance. Many insurers directly include the applicant's NIS2 status in their risk assessment. If your SME belongs to the regulated sectors or acts as a critical supplier in the network of a large corporation, the rule is: Without verifiable NIS2 compliance, you are simply uninsurable on the market.
The best proof for the insurer is an established Information Security Management System (ISMS). Companies that align themselves with or are certified according to ISO 27001 can massively shorten the application process. Alignment with this standard provides insurers with the foundation they need for risk-adjusted pricing.
Essential Technical and Organizational Measures (TOMs)
Proving IT security involves defining and implementing concrete technical and organizational measures (TOMs). These must not just exist on paper; they must be lived out in daily digital operations.
In addition to firewalls and endpoint protection software (EDR), insurers primarily demand proactive patch management. Known security vulnerabilities in operating systems or software applications must be verifiably closed within defined periods (often within 14 days of release).
Proof Requirements and Documentation: The Audit Check
The biggest hurdle for SMEs in the application process is not the technology itself, but the burden of proof. Insurers are no longer satisfied with simple "Yes/No" checkmarks in a questionnaire. They demand hard evidence in the event of a claim or during the application review.
Requested documents in the insurance audit:
- A documented, up-to-date IT risk analysis of the company.
- Written emergency plans and documented restore tests of the backups.
- Logs and participant lists of the conducted employee training sessions.
- Technical reports from vulnerability management.
Practical Tip: Cleanly documenting training sessions, risk analyses, and guidelines ties up immense resources in SMEs. Anyone who improvises here risks everything in the event of a claim. To master this bureaucratic effort in a legally compliant manner, modern businesses rely on digital platforms like heyData. heyData bundles data protection and compliance requirements centrally in one software, automates training proofs, and ensures that all reports necessary for the insurance auditor are available at the touch of a button.
The Hard Consequences of Incorrect Information
Anyone who cheats on the security questions in the insurance application or conceals outdated systems commits a breach of obligations. Following a successful hack, cyber insurers immediately send specialized IT forensics experts into your company.
If these experts determine that the security measures confirmed in the application (such as comprehensive MFA) were not active or only partially active in reality, drastic consequences threaten under the Insurance Contracts Act (VVG):
- Drastic reduction to total loss: In cases of gross negligence, the insurer may noticeably reduce the payout. In cases of intentional misrepresentation (malicious intent), the complete loss of insurance coverage threatens.
- Reclamation of services: Immediate assistance already paid out (e.g., for crisis consultants or IT forensics) must be paid back.
- Personal liability: For managing directors, incomplete information in the application can lead to personal liability due to a breach of corporate duty of care.
Cyber Insurance as a Driver for Structured IT Compliance
Companies should not view the strict requirements of insurers as harassment, but rather as a business case. Today, cyber insurance acts as a strong catalyst to get your own IT compliance up to scratch.
The benefits of this structured approach go far beyond mere insurance coverage:
- Premium reduction: Verifiably excellent IT compliance reduces risk and drastically lowers your annual insurance premiums.
- Protection against ruin: A perfectly implemented backup concept prevents weeks of business interruptions, which would mean financial ruin for many SMEs.
- Competitive advantage: Companies that have documented their IT compliance for insurance can immediately use these proofs to win the trust of large corporate clients in B2B tenders.
Practical Tips for Preparing for the Insurance Application
Use this roadmap to be optimally prepared when entering negotiations with the cyber insurer:
- Take stock: Check the status of your technical baseline (Is MFA active everywhere? Are backups physically disconnected from the network?).
- Update risk analysis: Keep a written overview of your critical data flows ready.
- Test incident response plan: Simulate an incident. Does every employee know who is allowed to shut down IT systems in an emergency?
- Bundle training proofs: Ensure that certificates and completion rates for security awareness training are fully available.
- Maintain transparency: Communicate planned but not yet implemented IT projects openly in the application. Many insurers grant fixed remediation periods.
Conclusion
In 2026, cyber insurance is the mandatory safety net for residual risk – however, it never replaces a sound IT compliance system. A policy requires that homework in the field of information security has verifiably been done. Multi-factor authentication, unalterable backups, and active incident response processes are the admission ticket to affordable rates. Those who use cyber insurance as an opportunity to document their compliance structures digitally and cleanly not only protect their SME from existential hacker damage, but also position themselves to be absolutely future-proof for all upcoming regulatory audits.
FAQ
Can an insurance company refuse to pay if I don't have MFA?
Yes, under certain conditions. If you stated in the questionnaire that MFA is active, but it was verifiably missing during the attack, this constitutes a breach of obligations. If the lack of MFA was a contributing cause of the hack, the insurer can massively reduce the payment depending on the degree of fault, or completely refuse payment in the case of deliberate deception.
Does the NIS2 Directive also apply to small craft businesses or local SMEs?
As a rule, micro and small enterprises with fewer than 50 employees and less than 10 million euros in annual turnover are exempt from NIS2 obligations, provided they do not operate in critical special sectors. However, they are coming under pressure through the supply chain: Large B2B customers increasingly demand compliance with NIS2 standards contractually from all their suppliers – and cyber insurers are adapting this standard across the board as well.
Is a simple automatic cloud backup sufficient for the insurance company?
No. Modern ransomware infects and encrypts all connected network drives and standard storage in the cloud synchronously during the attack. Insurers therefore explicitly demand "immutable storage" (unalterable data storage) or real "offline backups" that are physically and logically separated from the primary corporate network.
How often do employees need to be verifiably trained?
The absolute majority of cyber insurers require IT security and phishing training to be conducted at least annually for the entire workforce. Ideally, these are supplemented by continuous, simulated phishing emails during daily operations.
What happens if I can only implement a required technical measure next month?
This must be declared openly and transparently in the application. For minor deficits, many insurers grant fixed "remediation periods" (e.g., 30 days). In most cases, provisional insurance coverage then already exists, but it expires retroactively if proof of successful implementation is not provided within the deadline.
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.


