Insurance Europe has issued a response supporting the European Commission’s review of the Cybersecurity Act (CSA), backing the stated aims of reducing administrative burdens, simplifying regulation, and promoting a proportionate, risk-based approach to cyber risk management.
The Commission launched the CSA review in April 2025 amid growing concerns over the evolving nature of cyber threats and rapid developments in digital technologies. The review will examine the scope of ENISA’s mandate, assess the European Cybersecurity Certification Framework, and consider approaches to managing security risks in the ICT supply chain.
In its submission to the Commission’s consultation, Insurance Europe indicated that the European insurance sector supports initiatives to streamline cybersecurity reporting processes and eliminate duplication.
It noted that the introduction of the Digital Operational Resilience Act (DORA) has already imposed new compliance responsibilities on insurers, contributing to a broader increase in regulatory reporting obligations.
The insurance industry continues to operate within a complex and often fragmented legal environment. In addition to DORA, companies are subject to the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Artificial Intelligence Act, and the Cyber Resilience Act in some instances.
According to Insurance Europe, this results in cases where the same incident must be reported to multiple authorities, often under different timelines and requirements.
Insurance Europe is calling for greater alignment and coordination in regulatory oversight. The organisation is advocating for uniform reporting formats across EU jurisdictions, minimisation of overlapping requirements between DORA supervisors and ENISA, and clearer guidance for member states to avoid the proliferation of conflicting national regimes.
The industry body also emphasised the need for legal and supervisory consistency across the bloc. It noted that in several jurisdictions, national-level guidelines remain in effect despite being overtaken by more recent EU legislation. This is especially problematic for cross-border firms navigating regulatory inconsistencies.
In its comments on ENISA’s future role, Insurance Europe said that any expansion of the agency’s mandate must be accompanied by increased transparency and improved mechanisms for stakeholder engagement. The group stated that broader consultation and clearer oversight will be necessary to ensure that ENISA’s processes are aligned with the needs of the industry.
In a related publication, Insurance Europe has underlined the insurance sector’s role in building EU cyber resilience. It referenced recent market analysis showing that the global cyber insurance market grew from an estimated US$5.9 billion in 2019 to US$14 billion by 2023.
Despite this expansion, the association highlighted a persistent gap in cyber protection, with underinsurance remaining widespread. The publication suggested that insurers are in a position to close this gap by enhancing both coverage availability and client awareness.
What are your thoughts on this story? Please feel free to share your comments below.
